XPAJ
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Threat Type: File infector
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
The XPAJ family of file infectosr has been known since 2009. Its main purpose is to redirect infected users to click fraud, generating profit for its makers. It has gained capability to spread via mapped drives or shared folders, greatly improving its infection rate.
Some XPAJ file infectors infect the Master Boot Record (MBR) of an infected computer. This capability enables XPAJ to start even before the operating system loads as the infected computer starts up.
To ensure that its servers are online, XPAJ generates 197 URLs to achieve 24/7 uptime, which means continuous cash flow for its perpetrators.
This file infector arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
TECHNICAL DETAILS
Arrival Details
This file infector arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Autostart Technique
This file infector drops the following files:
- %Windows%\{random file name}.{random 3 letters} - minimum of 9 files
(Note: %Windows% is the Windows folder, which is usually C:\Windows.)
Process Termination
This file infector terminates the following processes if found running in the affected system's memory:
- avp.exe
- avgnt.exe
- avguard.exe
- sched.exe
- avastui.exe
- ccsvchst.exe
- avgcsrvx.exe
- avgnsx.exe
- avgrsx.exe
- avgtray.exe
- avgwdsvc.exe
- egui.exe
Other Details
This file infector connects to the following URL(s) to check for an Internet connection:
- microsoft.com
It connects to the following possibly malicious URL:
- {BLOCKED}.{BLOCKED}.162.208
- {BLOCKED}.{BLOCKED}.152.218
- {BLOCKED}.{BLOCKED}.71.249
- {BLOCKED}.{BLOCKED}.60.108
- {BLOCKED}.{BLOCKED}.123.153
- {BLOCKED}.{BLOCKED}.132.25
- {BLOCKED}.{BLOCKED}.183.224
- {BLOCKED}.{BLOCKED}.204.90
- {BLOCKED}iok.info
- {BLOCKED}c.com
- {BLOCKED}v.com
- {BLOCKED}tss.info
- {BLOCKED}ifhrf.net
- {BLOCKED}kowab.ru
- {BLOCKED}elertiong.com
- {BLOCKED}andraeffect.com
- {BLOCKED}xw.ru
- {BLOCKED}naf.ru
- {BLOCKED}ppsfm.org
- {BLOCKED}r.info
- {BLOCKED}bkxfn.biz
- {BLOCKED}hpte.com
- {BLOCKED}e.ru
- {BLOCKED}fbxrzn.com
- {BLOCKED}etobob.biz
- {BLOCKED}mullpy.info
- {BLOCKED}th.info
- {BLOCKED}medescriptor.com
- {BLOCKED}sncki.info
- {BLOCKED}hyjku.net
- {BLOCKED}mpyzh.net
- {BLOCKED}hez.com
- {BLOCKED}knddy.com
- {BLOCKED}vaweonearch.com
- {BLOCKED}qyhqtb.org
- {BLOCKED}gnfvhz.ru
- {BLOCKED}l.ru
- {BLOCKED}cut.biz
- {BLOCKED}pq.info
- {BLOCKED}eucnd.biz
- {BLOCKED}o.net
- {BLOCKED}ront.net
- {BLOCKED}rando.com
- {BLOCKED}minestar.org
- {BLOCKED}sysho.com
- {BLOCKED}niolosto.com
- {BLOCKED}usiceditior.com
NOTES:
This file infector infects files with the following file extensions by inserting code in the said files:
- .SCR
- .SYS
- .DLL
- .EXE
It infects the Master Boot Record of the affected system in order to perform the following routines:
- automatically loads PE_XPAJ.C-O every time the system boots.
- terminates several AV processes
- injects code to browser to download encrypted files
It also generates 197 URLs to connect to via Domain Generation Algorithm.
The modified MBR is detected as BOOT_XPAJ.SM.