PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: File infector

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel: Infects files, Dropped by other malware, Downloaded from the Internet

The XPAJ family of file infectosr has been known since 2009. Its main purpose is to redirect infected users to click fraud, generating profit for its makers. It has gained capability to spread via mapped drives or shared folders, greatly improving its infection rate.

Some XPAJ file infectors infect the Master Boot Record (MBR) of an infected computer. This capability enables XPAJ to start even before the operating system loads as the infected computer starts up.

To ensure that its servers are online, XPAJ generates 197 URLs to achieve 24/7 uptime, which means continuous cash flow for its perpetrators.

This file infector arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

  TECHNICAL DETAILS

Memory Resident: Yes
Payload: Click fraud

Arrival Details

This file infector arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Autostart Technique

This file infector drops the following files:

  • %Windows%\{random file name}.{random 3 letters} - minimum of 9 files

(Note: %Windows% is the Windows folder, which is usually C:\Windows.)

Process Termination

This file infector terminates the following processes if found running in the affected system's memory:

  • avp.exe
  • avgnt.exe
  • avguard.exe
  • sched.exe
  • avastui.exe
  • ccsvchst.exe
  • avgcsrvx.exe
  • avgnsx.exe
  • avgrsx.exe
  • avgtray.exe
  • avgwdsvc.exe
  • egui.exe

Other Details

This file infector connects to the following URL(s) to check for an Internet connection:

  • microsoft.com

It connects to the following possibly malicious URL:

  • {BLOCKED}.{BLOCKED}.162.208
  • {BLOCKED}.{BLOCKED}.152.218
  • {BLOCKED}.{BLOCKED}.71.249
  • {BLOCKED}.{BLOCKED}.60.108
  • {BLOCKED}.{BLOCKED}.123.153
  • {BLOCKED}.{BLOCKED}.132.25
  • {BLOCKED}.{BLOCKED}.183.224
  • {BLOCKED}.{BLOCKED}.204.90
  • {BLOCKED}iok.info
  • {BLOCKED}c.com
  • {BLOCKED}v.com
  • {BLOCKED}tss.info
  • {BLOCKED}ifhrf.net
  • {BLOCKED}kowab.ru
  • {BLOCKED}elertiong.com
  • {BLOCKED}andraeffect.com
  • {BLOCKED}xw.ru
  • {BLOCKED}naf.ru
  • {BLOCKED}ppsfm.org
  • {BLOCKED}r.info
  • {BLOCKED}bkxfn.biz
  • {BLOCKED}hpte.com
  • {BLOCKED}e.ru
  • {BLOCKED}fbxrzn.com
  • {BLOCKED}etobob.biz
  • {BLOCKED}mullpy.info
  • {BLOCKED}th.info
  • {BLOCKED}medescriptor.com
  • {BLOCKED}sncki.info
  • {BLOCKED}hyjku.net
  • {BLOCKED}mpyzh.net
  • {BLOCKED}hez.com
  • {BLOCKED}knddy.com
  • {BLOCKED}vaweonearch.com
  • {BLOCKED}qyhqtb.org
  • {BLOCKED}gnfvhz.ru
  • {BLOCKED}l.ru
  • {BLOCKED}cut.biz
  • {BLOCKED}pq.info
  • {BLOCKED}eucnd.biz
  • {BLOCKED}o.net
  • {BLOCKED}ront.net
  • {BLOCKED}rando.com
  • {BLOCKED}minestar.org
  • {BLOCKED}sysho.com
  • {BLOCKED}niolosto.com
  • {BLOCKED}usiceditior.com

NOTES:

This file infector infects files with the following file extensions by inserting code in the said files:

  • .SCR
  • .SYS
  • .DLL
  • .EXE

It infects the Master Boot Record of the affected system in order to perform the following routines:

  • automatically loads PE_XPAJ.C-O every time the system boots.
  • terminates several AV processes
  • injects code to browser to download encrypted files

It also generates 197 URLs to connect to via Domain Generation Algorithm.

The modified MBR is detected as BOOT_XPAJ.SM.