Home / malware Virus:Win32/Xpaj.J
First posted on 23 March 2012.
Source: MicrosoftAliases :
There are no other names known for Virus:Win32/Xpaj.J.
Explanation :
Virus:Win32/Xpaj.J is a polymorphic, entry point obscuring (EPO -- meaning that when the virus infects the file, the point at which the virus infects the file is obscured, in an attempt to make it more difficult to detect) virus that infects Windows PE files.The virus also attempts to download additional files from remote hosts.
Top
Virus:Win32/Xpaj.J is a polymorphic, entry point obscuring (EPO -- meaning that when the virus infects the file, the point at which the virus infects the file is obscured, in an attempt to make it more difficult to detect) virus that infects Windows PE files.The virus also attempts to download additional files from remote hosts.
Spreads via€¦
File infection
Win32/Xpaj.J infects files with the following file extensions:
- .exe
- .dll
- .scr
- .sys
The virus initially creates a file in the %windir% directory with a file name in the following format:
<random letters>.<random letters>.tmp
The virus uses this file as an infection marker.
Win32/Xpaj targets files to infect first in the %ProgramFiles% folder, and then the %windir% folder. It cycles through these folders recursively. It creates a list of all acceptable files (those that have the file extensions listed above) in these directories and their subdirectories recursively, and then randomly chooses files to infect from this list.
Win32/Xpaj does not directly infect files, rather uses the following method:
- Opens the targeted file in read only mode.
- Decides whether or not to infect the targeted file.
If so, copies the targeted file to the %Temp% folder with a temporary file name (for example, %temp%/<hex value>.tmp).- Infects this copy of the file.
- Overwrites the original file with the infected copy.
Note: During the process of file infection, the virus deletes the temporary file; hence, after file infection process is completed, no clean copies of the original files remain in %Temp%.
Win32/Xpaj does not infect protected Windows files.
Payload
Downloads arbitrary files
Win32/Xpaj attempts to download additional code from the Internet. It contains a hardcoded IP, 74.72.199.125, that it tries to connect to initially. It also generates thousands of pseudo-random domain names which it tries to resolve to their corresponding IP addresses before connecting.
See below for examples of domain names generated by Win32/Xpaj:
- aaiyuok.com
- abbapxynn.com
- abdulahuy.com
- abke.com
- abrblpshon.com
- absxzm.com
- abuaxsnliv.com
- abze.com
- acub.com
- aczqhywu.com
- adi.com
- adtdqpucl.com
- adu.com
- adxikvg.com
- aebvf.com
- aejtclfoy.com
- aem.com
- aeuyrbvq.com
- afl.com
- bxdobrp.com
- bxrfp.com
- bxwoqiqbu.com
- bxxntwiwpj.com
- bydyrqvg.com
- bysxfqnl.com
- byzsdqx.com
- bzagthodj.com
- bzbr.com
- bzpuqikh.com
- bzq.com
- bztng.com
- cacljfsfo.com
- cagvyrn.com
- caidutah.com
- cakm.com
- caonlv.com
- caormr.com
- caxrojl.com
- cbbsccfi.com
- cblw.com
- cbqbtqwah.com
- cbsceexr.com
- cbw.com
- ccbohvkvck.com
- cccgppntwk.com
- ccmlkh.com
Win32/Xpaj may try to test Internet connectivity by connecting to microsoft.com.
Analysis by Shawn Wang & Marian Radu
Last update 23 March 2012