Home / malwarePDF  

Win32.Xorer


First posted on 21 November 2011.
Source: BitDefender

Aliases :

Win32.Xorer is also known as Virus.Win32.Xorer, Virus:Win32/Xorer, Win32.HLLP.Rox, W32/Xorer, W32.Pagipef, TROJ_PAGIPEF, TR/Xorer.

Explanation :

Win32.Xorer is a worm that spreads through removable drives or shared network drives.

When executed:

- it creates the following files:
%root%NetApi000.sys - detected as Rootkit.Xorer.A%root%autorun.inf - detected as Trojan.Harning.WA%root%pagefile.pif%root%[random-nr].log%system%[random-nr].log%system%dnsq.dll%system%Comlsass.exe%system%Com
etcfg.000%system%Com
etcfg.dll%system%Comsmss.exeAll of these are detected as a variant of Win32.Xorer

- it starts the following processes:
%system%Comlsass.exe%system%Comsmss.exe- deletes the following registry keys: (in order to prevent start-up programs and safe-boot from running properly)
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunHKLMSYSTEMCurrentControlSetControlSafeBootMinimal{4D36E967-E325-11CE-BFC1-08002BE10318}HKLMSYSTEMCurrentControlSetControlSafeBootNetwork{4D36E967-E325-11CE-BFC1-08002BE10318}- adds the following registry entries:

HKLMSYSTEMCurrentControlSetServicesNetApi000 (registered by %root%NetApi000.sys)

HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced
"ShowSuperHidden" = "0"

HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerAdvancedFolderSuperHidden
"Type" = "radio"

- checks internet connection, executing:

ping.exe -f -n 1 www.baidu.com

- quits all processes which have windows containg the following strings by sending TerminateProcess() to the processes or VM_QUERYENDSESSION, WM_ENDSESSION, WM_DESTROY messages to the processes' window.
360anti360safeafx:AfxControlBar42santivirarpavastavgbitdefendercabinetwclassdr.webescanesetewidofacelesswndprocfirewallieframekvmcafeemcagentmetapadmonitormozillauiwindowclassSREngtapplicationthunderrt6formdcthunderrt6mainThunderRT6Timer- writes on every removable drive or network share the following files, in order to spread itself:

%root%autorun.inf
%root%pagefile.pif

The file %system%dnsq.dll, injected in all processes that have user32.dll imports, hooks the following API's:
OpenProcess, CloseHandle, EnumProcessModules, in order to prevent suspending or killing any of the virus' processes and, thus, to make it difficult to remove.

Last update 21 November 2011

 

TOP

Malware :