Home / malware Virus:Win32/Xpaj.gen!C
First posted on 29 March 2012.
Source: MicrosoftAliases :
There are no other names known for Virus:Win32/Xpaj.gen!C.
Explanation :
Virus:Win32/Xpaj.gen!C is a polymorphic, entry point obscuring (EPO -- meaning that when the virus infects the file, the point at which the virus infects the file is obscured, in an attempt to make it more difficult to detect) virus that infects Windows PE files. It uses virtualized code in order to hide its main code infection routine.
Top
Virus:Win32/Xpaj.gen!C is a polymorphic, entry point obscuring (EPO -- meaning that when the virus infects the file, the point at which the virus infects the file is obscured, in an attempt to make it more difficult to detect) virus that infects Windows PE files. It uses virtualized code in order to hide its main code infection routine.
The virus also attempts to download additional files from remote hosts.
Installation
During execution of an infected file, Virus:Win32/Xpaj.gen!C copies the target file as a temporary file into the %Temp% folder.
Spreads via...
File infection
Win32/Xpaj.gen!C infects files with the following file extensions:
- .exe
- .dll
- .scr
- .sys
The virus attempts to infect files in the following folders:
- %ProgramFiles%
- %windir%
It traverses the sub-folders of the folders listed in order to randomly infect applications that are used on the computer.
While Win32/Xpaj.gen!C does not directly infect files, it uses the following process to determine what files to infect and how:
- Opens the targeted file in read-only mode.
- Decides whether or not to infect the targeted file.
If so, it copies the target file to the %Temp% folder with a temporary file name (for example, %temp%\<hex value>.tmp).- Infects this copy of the file.
- Overwrites the original file with the infected copy.
- Delete the temporary file found in %Temp% folder.
Note: During the process of file infection, the virus deletes the temporary file; hence, after file infection process is completed, no clean copies of the original files remain in %Temp%.
The virus does not infect protected Windows files.
Payload
Downloads arbitrary files
Win32/Xpaj.gen!C downloads files from hard coded or randomly generated websites, such as infoserv52.com.
Files that are successfully downloaded to the computer are immediately executed.
Analysis by Zarestel Ferrer
Last update 29 March 2012