A new type of virus which can bypass DeepFreeze protection is causing big troubles to Internet shops. First emerged in early March 2009, there have been 174 variants of this Chinese origin virus found on the Internet so far.
DeepFreeze is popular software used in Internet shops. The software can monitor any change in sectors (data storage area) in hard disk partitions and save the changes in another area (buffer). When normal programs retrieve these sectors, they will reach the data in the buffer rather than in the original sectors. When the system reboots, temporary data in the buffer will be deleted and the the system is restored to the original state. When DeepFreeze is installed in computers, Internet shop owners often believe that their systems are protected against virus risk as the clean original state can be restored after reboot.
However, W32.SafeSys.Worm employs a technique that enables it to write data directly on hard disk’s sectors by sending request for direct interaction with disk Controller. In this way, W32.SafeSys.Worm can write data on the disk while leaving no clue for system frozen programs like DeepFreeze.
After bypassing DeepFreeze and successfully infects your computer, W32.SafeSys.Worm will continue its malicious tasks like: stealing online games passwords, faking gateway, inserting iframe exploiting software flaws to spread via LAN, spreading via USB and automatically updating new variants. A number of Internet shops which put too much trust in DeepFreeze and not employ any other protection method have become W32.SafeSys.Worm’s victims. According to Bkis’ statistics, as many as 46.000 computers in Vietnam have been infected with this virus.
If your Internet shop experiences the same problem involving this virus, you should update the latest Bkav version at here to deal with the problem.
By Vu Ngoc Son, Senior Malware Researcher - Bkis