Parite

Category: file_infector · Aliases: None known · Sample count (EMBER 2018): 163 · Enrichment: expert-seo · Updated: 2026-06-09

Overview

Virus:Win32/Parite (often Win32/Parite.B) is a highly pervasive, extremely polymorphic executable file infector (virus) that aggressively self-replicates by injecting its malicious code into every .exe and .scr file on local and networked drives.

Understanding Parite
To the end-user, a Parite infection causes widespread software corruption, bizarre application crashes, and extreme system slowdowns. For incident responders, Parite is a nightmare scenario of lateral movement and file destruction. Unlike modern trojans that hide, Parite is a true virus; its primary goal is aggressive propagation. It employs extreme polymorphism, meaning the viral code it injects into each executable is encrypted differently every single time, making standard hash-based detection entirely useless.

Execution and Evasion Strategies
Parite primarily spreads by users executing an already infected file, often from shared network drives. Upon execution, the virus becomes memory-resident. It immediately drops a randomly named, highly obfuscated DLL (e.g., xxx.tmp) into the Windows %Temp% directory and injects it into the explorer.exe process. From this trusted process, Parite aggressively scans all local drives and mapped network shares, targeting and infecting every executable file it finds. It appends its encrypted viral body to the end of the legitimate file and modifies the entry point to execute the virus before the original application.

Indicators of Compromise & Impact
The impact is massive operational disruption and file corruption. EDR platforms frequently trigger a flood of alerts for 'Suspicious File Modification' or 'Executable Entry Point Altered' as Parite rapidly rewrites thousands of files. Incident responders will notice legitimate applications suddenly increasing in size. The presence of randomly named, locked .tmp DLL files in the Temp directory is a classic Parite IoC.

MITRE ATT&CK Techniques

Observed techniques used by this family, mapped to the MITRE ATT&CK framework:

TechniqueNameTactic
T1091Replication Through Removable MediaLateral Movement
T1055.001Process Injection: Dynamic-link Library InjectionDefense Evasion
T1027.002Obfuscated Files or Information: Software PackingDefense Evasion
T1485Data DestructionImpact
T1129Shared ModulesExecution

Generated Detections (Boilerplate)

These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.

YARA Rule

rule MALWARE_WIN_PARITE {
    meta:
        description = "Detects Parite (file_infector)"
        author = "SystemHelpdesk Boilerplate Generator"
        date = "2026-07-06"
    strings:
        $s1 = "parite" ascii wide nocase
    condition:
        uint16(0) == 0x5a4d and any of them
}

Sigma Rule

title: Suspicious Parite Activity
id: 89735f58503b4520b7ec1e58aa569be2
status: experimental
description: Detects generic indicators of the parite malware family.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - "*parite*"
    condition: selection
level: medium

Containment & Response Steps

Ordered checklist for responders. Adapt to your environment and engage professional support for active incidents.

  1. Instantly sever the endpoint from the network to prevent the virus from iterating over open SMB shares and infecting files on central servers.
  2. Do not execute any files on the infected system, as running an infected file simply re-triggers the memory-resident infection cycle.
  3. Boot the infected machine from a known-clean, write-protected live OS (like a Linux Live USB) to safely scan and disinfect the drive offline.
  4. Utilize a specialized antivirus disinfection tool capable of carefully decrypting the polymorphic Parite body, stripping it, and restoring the original entry points.

What to Avoid

Common mistakes during response to this family that can destroy evidence, spread the infection, or worsen recovery.

  1. Do not attempt to manually clean the machine while booted into the infected OS; the memory-resident virus will instantly reinfect files as you clean them.
  2. Avoid relying solely on file deletion; deleting infected files means deleting legitimate applications. Proper disinfection is required to save the data.

References & External Analysis

Related Families (Category: file_infector)

Explore other malware families in the same category:

Need help with an active incident? Published by the SystemHelpdesk team.

Machine-readable

Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/parite.json

Ecosystem & Interactive Environments

This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.