Home / malware Virus:Win32/Xpaj.B
First posted on 04 January 2013.
Source: MicrosoftAliases :
Virus:Win32/Xpaj.B is also known as W32/Xpaj.D (Command), Virus.Win32.Xpaj.genc (Kaspersky), Win32/Xpaj (AVG), W32/Xpaj.D (Avira), Win32.Xpaj.1 (Dr.Web), Win32/Goblin.E.Gen virus (ESET), Virus.Win32.Xpaj (Ikarus), W32/XPaj.C (McAfee), Mal/Xpaj-B (Sophos), W32.Xpaj.B (Symantec), PE_XPAJ.C (Trend Micro).
Explanation :
Installation
Virus:Win32/Xpaj.B may arrive on your computer via drive-by download.
It initially creates a file in the %windir% folder with the following naming format:
<random letters>.<random letters>.tmp, for example, %windir%\sqna.oci.tmp.
The virus uses this file as an infection marker.
Spreads via...
File infection
Virus:Win32/Xpaj.B infects files with the following file extensions:
- EXE
- DLL
- SCR
- SYS
Virus:Win32/Xpaj.B targets files to infect in the <system folder> and %ProgramFiles% folder. It cycles through these folders recursively, creating a list of acceptable files (those that have the file extensions listed above) in these folders, and their subfolders, then randomly chooses files to infect from this list.
Virus:Win32/Xpaj.B does not infect protected Windows files.
Removable and network drives
Virus:Win32/Xpaj.B infects files in removable and network drives. It copies itself in removable drives using various file names and creates an Autorun file to ensure that it runs every time the drive is accessed and Autorun is enabled.
Payload
Downloads arbitrary files
Virus:Win32/Xpaj.B checks if your computer is connected to the Internet by accessing popular websites, such as microsoft.com, google.com, msn.com, and facebook.com.
Once it has verified that there is an Internet connection, Virus:Win32/Xpaj.B reports its presence in your computer, and receives other instructions, from a specific website hardcoded in its file. From the same website, it downloads other files, which have been observed to be related to click-fraud.
If the site is unavailable or connection cannot be established, Virus:Win32/Xpaj.B tries to generate pseudo-random website names.
Analysis by Rodel Finones
Last update 04 January 2013
