PE_XPAJ
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Threat Type: File infector
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
The XPAJ family of file infectosr has been known since 2009. Its main purpose is to redirect infected users to click fraud, generating profit for its makers. It has gained capability to spread via mapped drives or shared folders, greatly improving its infection rate.
Some XPAJ file infectors infect the Master Boot Record (MBR) of an infected computer. This capability enables XPAJ to start even before the operating system loads as the infected computer starts up.
To ensure that its servers are online, XPAJ generates 197 URLs to achieve 24/7 uptime, which means continuous cash flow for its perpetrators.
This file infector arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
TECHNICAL DETAILS
Arrival Details
This file infector arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Autostart Technique
This file infector drops the following files:
- %Windows%\{random file name}.{random 3 letters} - minimum of 9 files
(Note: %Windows% is the Windows folder, which is usually C:\Windows.)
Process Termination
This file infector terminates the following processes if found running in the affected system's memory:
- avp.exe
- avgnt.exe
- avguard.exe
- sched.exe
- avastui.exe
- ccsvchst.exe
- avgcsrvx.exe
- avgnsx.exe
- avgrsx.exe
- avgtray.exe
- avgwdsvc.exe
- egui.exe
Other Details
This file infector connects to the following URL(s) to check for an Internet connection:
- microsoft.com
It connects to the following possibly malicious URL:
- {BLOCKED}.{BLOCKED}.162.208
- {BLOCKED}.{BLOCKED}.152.218
- {BLOCKED}.{BLOCKED}.71.249
- {BLOCKED}.{BLOCKED}.60.108
- {BLOCKED}.{BLOCKED}.123.153
- {BLOCKED}.{BLOCKED}.132.25
- {BLOCKED}.{BLOCKED}.183.224
- {BLOCKED}.{BLOCKED}.204.90
- {BLOCKED}iok.info
- {BLOCKED}c.com
- {BLOCKED}v.com
- {BLOCKED}tss.info
- {BLOCKED}ifhrf.net
- {BLOCKED}kowab.ru
- {BLOCKED}elertiong.com
- {BLOCKED}andraeffect.com
- {BLOCKED}xw.ru
- {BLOCKED}naf.ru
- {BLOCKED}ppsfm.org
- {BLOCKED}r.info
- {BLOCKED}bkxfn.biz
- {BLOCKED}hpte.com
- {BLOCKED}e.ru
- {BLOCKED}fbxrzn.com
- {BLOCKED}etobob.biz
- {BLOCKED}mullpy.info
- {BLOCKED}th.info
- {BLOCKED}medescriptor.com
- {BLOCKED}sncki.info
- {BLOCKED}hyjku.net
- {BLOCKED}mpyzh.net
- {BLOCKED}hez.com
- {BLOCKED}knddy.com
- {BLOCKED}vaweonearch.com
- {BLOCKED}qyhqtb.org
- {BLOCKED}gnfvhz.ru
- {BLOCKED}l.ru
- {BLOCKED}cut.biz
- {BLOCKED}pq.info
- {BLOCKED}eucnd.biz
- {BLOCKED}o.net
- {BLOCKED}ront.net
- {BLOCKED}rando.com
- {BLOCKED}minestar.org
- {BLOCKED}sysho.com
- {BLOCKED}niolosto.com
- {BLOCKED}usiceditior.com