Virus:W32/Xpaj.B
Date discovered:16/12/2009
Type:File infector
In the wild:Yes
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Medium
Static file:No
File size:~145.000 Bytes
IVDF version:7.09.01.114

 General Method of propagation:
   • Infects files


Aliases:
   •  Symantec: W32.Xpaj.B
   •  Mcafee: W32/Xpaj
   •  Eset: Win32/Goblin.B.Gen
   •  Bitdefender: Win32.XPaj.C


Platforms / OS:
   • Windows NT
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Infects files

 Files The following files are created:

– A file that is for temporary use and it might be deleted afterwards:
   • %TEMPDIR%\%hex number%.tmp
This is the original version of the file before infection.
%WINDIR%\%eight-digit random character string%.tmp

 File infection Infector type:

Embedded - The virus inserts its code throughout the file (in one or more places).

Damaging - The files may be improperly infected. Because of bugs in the virus only some of the virus code may be present in the infected sample and it won't replicate any further. The infected files may be broken.


Stealth:
 EPO (Entry Point Obscuring) - The infected file's EP (Entry Point) remains the same. The virus patches the program code to redirect execution to the viral code.


Self Modification:

Polymorphic - The entire virus code changes from one infection to another. The virus contains a polymorphic engine.


Method:

This direct-action infector actively searches for files.


Infection length:

Approximately 145.000 Bytes


The following files are infected:

By exact path:
   • *.exe
   • *.scr
   • *.dll
   • *.sys

Files in any of the following directories:
   • %all directories%

 Backdoor Contact server:
The following:
   • %random character string%.com/up.**********

This is done via the HTTP GET request on a PHP script.

 Miscellaneous Internet connection:
In order to check for its internet connection the following DNS servers are contacted:
   • www.gracefullsystemupdate.com
   • microsoft.com
   • %random character string%.com

Description inserted by Daniel Constantin on Tuesday, February 16, 2010
Description updated by Daniel Constantin on Tuesday, February 16, 2010

Back . . . .