Virus:W32/Xpaj.A
Date discovered:16/12/2009
Type:File infector
In the wild:Yes
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Medium
Static file:No
File size:~140.000 Bytes
Engine version:7.09.01.114

 General Method of propagation:
   • Infects files


Aliases:
   •  Symantec: W32.Xpaj
   •  Sophos: Mal/Xpaj-A
   •  Eset: Win32/Goblin.A.Gen
   •  Bitdefender: Win32.XPaj.B


Platforms / OS:
   • Windows NT
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Infects files

 Files The following files are created:

– A file that is for temporary use and it might be deleted afterwards:
   • %TEMPDIR%\%hex number%.tmp
This is the original version of the file before infection.
%TEMPDIR%\%random character string%.tmp This file serves as flag for an internal routine.

 File infection Infector type:

Appender - The virus main code is added at the end of the infected file.
– The last section of the file is modified to include the virus code.

Damaging - The files may be improperly infected. Because of bugs in the virus only some of the virus code may be present in the infected sample and it won't replicate any further. The infected files may be broken.


Stealth:
 EPO (Entry Point Obscuring) - The infected file's EP (Entry Point) remains the same. The virus patches the program code to redirect execution to the viral code.


Self Modification:

Polymorphic - The entire virus code changes from one infection to another. The virus contains a polymorphic engine.


Method:

This direct-action infector actively searches for files.


Infection length:

Approximately 140.000 Bytes


The following files are infected:

By exact path:
   • *.exe
   • *.scr
   • *.dll
   • *.sys

Files in any of the following directories:
   • %all directories%

Description inserted by Daniel Constantin on Tuesday, February 16, 2010
Description updated by Daniel Constantin on Tuesday, February 16, 2010

Back . . . .