Security home

 

Home / malwarePDF  

Virus:Win32/Xpaj.gen!C


First posted on 29 March 2012.
Source: Microsoft

Aliases :

There are no other names known for Virus:Win32/Xpaj.gen!C.

Explanation :

Virus:Win32/Xpaj.gen!C is a polymorphic, entry point obscuring (EPO -- meaning that when the virus infects the file, the point at which the virus infects the file is obscured, in an attempt to make it more difficult to detect) virus that infects Windows PE files. It uses virtualized code in order to hide its main code infection routine.


Top

Virus:Win32/Xpaj.gen!C is a polymorphic, entry point obscuring (EPO -- meaning that when the virus infects the file, the point at which the virus infects the file is obscured, in an attempt to make it more difficult to detect) virus that infects Windows PE files. It uses virtualized code in order to hide its main code infection routine.

The virus also attempts to download additional files from remote hosts.



Installation

During execution of an infected file, Virus:Win32/Xpaj.gen!C copies the target file as a temporary file into the %Temp% folder.

Spreads via...

File infection

Win32/Xpaj.gen!C infects files with the following file extensions:

  • .exe
  • .dll
  • .scr
  • .sys


The virus attempts to infect files in the following folders:

  • %ProgramFiles%
  • %windir%


It traverses the sub-folders of the folders listed in order to randomly infect applications that are used on the computer.

While Win32/Xpaj.gen!C does not directly infect files, it uses the following process to determine what files to infect and how:

  1. Opens the targeted file in read-only mode.
  2. Decides whether or not to infect the targeted file.
    If so, it copies the target file to the %Temp% folder with a temporary file name (for example, %temp%\<hex value>.tmp).
  3. Infects this copy of the file.
  4. Overwrites the original file with the infected copy.
  5. Delete the temporary file found in %Temp% folder.


Note: During the process of file infection, the virus deletes the temporary file; hence, after file infection process is completed, no clean copies of the original files remain in %Temp%.

The virus does not infect protected Windows files.



Payload

Downloads arbitrary files

Win32/Xpaj.gen!C downloads files from hard coded or randomly generated websites, such as infoserv52.com.

Files that are successfully downloaded to the computer are immediately executed.



Analysis by Zarestel Ferrer

Last update 29 March 2012

 

TOP

Malware :

Family: