Home / malware Win32.Xorer
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.Xorer is also known as Virus.Win32.Xorer, Virus:Win32/Xorer, Win32.HLLP.Rox, W32/Xorer, W32.Pagipef, TROJ_PAGIPEF, TR/Xorer.
Explanation :
Win32.Xorer is a worm that spreads through removable drives or shared network drives.
When executed:
- it creates the following files:
%root%NetApi000.sys - detected as Rootkit.Xorer.A%root%autorun.inf - detected as Trojan.Harning.WA%root%pagefile.pif%root%[random-nr].log%system%[random-nr].log%system%dnsq.dll%system%Comlsass.exe%system%Com
etcfg.000%system%Com
etcfg.dll%system%Comsmss.exeAll of these are detected as a variant of Win32.Xorer
- it starts the following processes:
%system%Comlsass.exe%system%Comsmss.exe- deletes the following registry keys: (in order to prevent start-up programs and safe-boot from running properly)
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunHKLMSYSTEMCurrentControlSetControlSafeBootMinimal{4D36E967-E325-11CE-BFC1-08002BE10318}HKLMSYSTEMCurrentControlSetControlSafeBootNetwork{4D36E967-E325-11CE-BFC1-08002BE10318}- adds the following registry entries:
HKLMSYSTEMCurrentControlSetServicesNetApi000 (registered by %root%NetApi000.sys)
HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced
"ShowSuperHidden" = "0"
HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerAdvancedFolderSuperHidden
"Type" = "radio"
- checks internet connection, executing:
ping.exe -f -n 1 www.baidu.com
- quits all processes which have windows containg the following strings by sending TerminateProcess() to the processes or VM_QUERYENDSESSION, WM_ENDSESSION, WM_DESTROY messages to the processes' window.
360anti360safeafx:AfxControlBar42santivirarpavastavgbitdefendercabinetwclassdr.webescanesetewidofacelesswndprocfirewallieframekvmcafeemcagentmetapadmonitormozillauiwindowclassSREngtapplicationthunderrt6formdcthunderrt6mainThunderRT6Timer- writes on every removable drive or network share the following files, in order to spread itself:
%root%autorun.inf
%root%pagefile.pif
The file %system%dnsq.dll, injected in all processes that have user32.dll imports, hooks the following API's:
OpenProcess, CloseHandle, EnumProcessModules, in order to prevent suspending or killing any of the virus' processes and, thus, to make it difficult to remove.Last update 21 November 2011