Home / malware

PDF

Win32.Xorer.EK

First posted on 21 November 2011.
Source: BitDefender

Aliases :

There are no other names known for Win32.Xorer.EK.

Explanation :

This is a prepender virus, meaning that the infection technique doesn't involve directly modifying the host program and append its code/data to it, but merely to append the entire host executable in its overlay. This virus also "steals" the hosts' icon, so apparently, there will be no differences between the original and the infected file.
When first executed, the virus will execute the host, by dropping its original executable, as a hidden file, named [original-file-name].~tmp. After the host terminates execution, the virus will try to make a copy of itself inside:
%system%driverslsass.exe. If it succeeds, it will execute this fresh copy, and continue execution there. If it fails to create the copy, it will assume that it has already infected the system and it is active in memory.

When the new copy is executed, it will create 4 internal timers (special functions that are executed after a fixed period of time is elapsed):
o Timer 1, which will be executed every 1 second (1000 ms), will be responsible for constantly checking the existence of the file documents and settings[user-name]Start MenuProgramsStartup~.pif (which is a copy of the virus). If the file doesn't exist, either it hasn't created it yet, either it was deleted; in either case, it will simply re-create it. Also, it will enumerate all drives, infect them by creating a new copy of itself inside the root as "pagefile.pif", and an autorun.inf that will point to it. This timer will also execute the infection routine (which will be discussed in more detail).
o Timer 2, which will get executed every 15 seconds, will see if there is a window which's class name is "IEFrame" (it belongs to Internet Explorer); if it finds it, it will redirect to various advertising or infected sites.
o Timer 3 (every 2 and a half hours) will have similar actions with Timer 2, but in addition, it will create a new instance of Internet Explorer which will be redirected to various advertising/infected sites.
o Timer 4 (every minute) is similar with Timer 3.

Infection technique
As already mentioned, this is a prepender (it appends the host to a copy of itself). The virus will search for .exe files on every fixed drive. When it finds one, it will make a copy of it as [original-name].p. It will write the viral body in the original file, retrieve the the icon of the original program and write it inside the viral resource-section, write 8 bytes in the overlay (including the size of the host), then it will append the host program and another copy of itself. After the infection is done, the infected file will differ from the original only by size (~64 KB).

Last update 21 November 2011

 

TOP