-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Virus.W32.Xpaj
http://www.cert-in.org.in/virus/Virus_W32_Xpaj.htm
Original issue date: October 08, 2009
W32.Xpaj is an entry-point obscuring, polymorphic file infector virus. Two
variants W32.Xpaj.A and W32.Xpaj.B are observed to be spreading widely by
infecting .exe .dll, .scr and .sys file extensions.
It integrates itself into infected files and becomes a part of the host
program control flow. This virus is only memory resident while the host
file is. If the host file is terminated, the virus will also be terminated.
The virus also replaces part of the host file with its own polymorphic
decryptor. In addition it patches certain call statements to point to this
decryptor. It corrupts some files, leaving them in an unrecoverable state
such that they need to be restored from backup.
It spreads itself by creating a copy in removable devices and run itself
with an autorun.inf file.
Upon execution the Virus performs the following actions :
Drops the following files:
%Windir%\[FOUR RANDOM NUMBERS FOLLOWED BY
FOUR RANDOM LETTERS].tmp
%Temp%\[HEXADECIMAL CHARACTERS].tmp
( a copy of the file attempting to infect)
%DriveLetter%\autorun.inf
Attempt to contact microsoft.com for checking Internet connectivity
Attempts to contact its control server using the following URL:
[http://][SERVER ADDRESS]/up.[REMOVED]
Note: [SERVER ADDRESS] may be one of the following remote locations may
download and execute additional malicious files:
74.72.19x..xxx
abdu[removed]uy dot com
toora[removed]s dot com
Infected host files send information about the system (OS version, Service
Pack, IP, etc.) on which the infected file is running to the abovementioned
command servers.
Users are advised to implement the following countermeasures:
Search for the malicious files created by the Virus and delete the same.
Turn off autoplay.
Maintain up-to-date Antivirus and Antispyware.
Apply up-to-date patches and fixes on the operating system and application
software.
Set up a firewall to block unauthorized access while connected to the
internet.
References
http://vil.nai.com/vil/content/v_233604.htm
http://www.avertlabs.com/research/blog/index.php/2009/09/21/
w32xpaj-know-your-polymorphic-enemy/
http://www.symantec.com/connect/blogs/w32xpajb-upper-crust-
file-infector
http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=79776
http://community.ca.com/blogs/securityadvisor/archive/2009/09/24/
win32-xpaj-a-analysis-notes.aspx
http://www.avertlabs.com/research/blog/index.php/2009/10/06/
w32xpaj-botnet-growing-rapidly/
Disclaimer
The information provided herein is on "as is" basis, without warranty of
any kind.
Contact Information
Phone: +91-11-24368572
Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
Note: Please do not reply to this e-mail. For further queries contact
CERT-In Information Desk. Email: info@cert-in.org.in
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8
wsBVAwUBSs2scXWXeYNsoT30AQqbyggAtbJn2oln4HGXVZOwd/VVxFbyvrbIGpGq
1EXJC+sSKmwh3TCdxH/rCTvD99peKyFtzsAqXiI2rv9VzBNfBCCVulCXGnC7tYc5
lI6vPjKHIMOKmTyErc4Wpwo0RU6IfWx+MCJUaiFKki+bRSPanfasJecXV5L5iHyT
TfEwDZheLSOLydHXqG5ovkvaylKK71rLo+2SgKvTM1W3ReBSGXvEzVyteHM/JwPi
0elsRrykpEIxVXdiMqjB3HK7S9lMB9vplzhMpjF/B2VzOCzEdpuTE3hmfPTBP4m7
iCuHw7iHpCKPeLj6ejyqlrrNfybFEj86f71obohqAehq0i+K1LrmPg==
=w4a/
-----END PGP SIGNATURE-----
No comments:
Post a Comment