Home / malware MSIL.Cxover.A
First posted on 21 November 2011.
Source: BitDefenderAliases :
MSIL.Cxover.A is also known as Cxover.A, WORM_CXOVER.A.
Explanation :
The virus spreads from desktop systems running Windows with .NET to mobile devices attached to the system, accessible trough RAPI (Remote API).
When executed the virus checks if it is running on a Mobile / CE version of Windows (on a mobile device) or a desktop system.
If it is running on a mobile device, then the virus will execute the following steps:
deletes all files recursively from My documents process all directories under the current root () and creates one copy of the virus under windows with a random name ([random-number].exe) creates a shortcut under WindowsStartup for the new exe to ensure automatic execution of the virus on next reboot.
If it is running on a desktop system, then the virus will execute the next steps:
creates a new copy of the virus under windows with a random name ([random-nr].exe) creates an entry under SOFTWAREMicrosoftWindowsCurrentVersionRun to ensure automatic execution of the virus on next reboot opens a RAPI (Remote API) connection and waits until a mobile device is available moves a copy of the virus to the mobile device under Windows[random-nr].exe executes the new example of the virus under the mobile device
The virus contains the following message:
"the crossover virus - poc - by Dr. Julius Storm - The great walls of China that separated
the domains between wired and wireless, desktop and handhelds have been reduce to ruble.
Vxers are entering a new era of greater vx possibilities with the chance of reaching more
systems around the world than ever before. The viruses of the past are nothing compared
to what the future holds. 2006 marks the establishment of a New Cyberworld Order with
vxers around the world united at the forefront. The time is now to prepare and defend,
are you ready?"Last update 21 November 2011
