Home / malwarePDF  

Virus:Win32/Xpaj.B


First posted on 04 January 2013.
Source: Microsoft

Aliases :

Virus:Win32/Xpaj.B is also known as W32/Xpaj.D (Command), Virus.Win32.Xpaj.genc (Kaspersky), Win32/Xpaj (AVG), W32/Xpaj.D (Avira), Win32.Xpaj.1 (Dr.Web), Win32/Goblin.E.Gen virus (ESET), Virus.Win32.Xpaj (Ikarus), W32/XPaj.C (McAfee), Mal/Xpaj-B (Sophos), W32.Xpaj.B (Symantec), PE_XPAJ.C (Trend Micro).

Explanation :



Installation

Virus:Win32/Xpaj.B may arrive on your computer via drive-by download.

It initially creates a file in the %windir% folder with the following naming format:

<random letters>.<random letters>.tmp, for example, %windir%\sqna.oci.tmp.

The virus uses this file as an infection marker.

Spreads via...

File infection

Virus:Win32/Xpaj.B infects files with the following file extensions:

  • EXE
  • DLL
  • SCR
  • SYS


Virus:Win32/Xpaj.B targets files to infect in the <system folder> and %ProgramFiles% folder. It cycles through these folders recursively, creating a list of acceptable files (those that have the file extensions listed above) in these folders, and their subfolders, then randomly chooses files to infect from this list.

Virus:Win32/Xpaj.B does not infect protected Windows files.

Removable and network drives

Virus:Win32/Xpaj.B infects files in removable and network drives. It copies itself in removable drives using various file names and creates an Autorun file to ensure that it runs every time the drive is accessed and Autorun is enabled.



Payload

Downloads arbitrary files

Virus:Win32/Xpaj.B checks if your computer is connected to the Internet by accessing popular websites, such as microsoft.com, google.com, msn.com, and facebook.com.

Once it has verified that there is an Internet connection, Virus:Win32/Xpaj.B reports its presence in your computer, and receives other instructions, from a specific website hardcoded in its file. From the same website, it downloads other files, which have been observed to be related to click-fraud.

If the site is unavailable or connection cannot be established, Virus:Win32/Xpaj.B tries to generate pseudo-random website names.



Analysis by Rodel Finones

Last update 04 January 2013

 

TOP