Internet threat level: 1
Home→Descriptions→Virus.Win32.Xpaj.gen
Virus.Win32.Xpaj.gen
| Detected | Aug 19 2011 10:33 GMT |
| Released | Jul 10 2012 10:34 GMT |
| Published | Aug 19 2011 10:33 GMT |
Payload
Removal instructions
Technical Details
This polymorphic file virus infects Windows executable files (PE). When infecting files the virus uses an entry point obscuring (EPO) technique. The virus body in the infected file varies from 160 to 180 KB.
Installation
When the infected file is launched, the virus saves files with arbitrary names based on computer parameters in a Windows folder. The files contain encrypted information about the virus.
Payload
The virus infects files stored in the folders:
- %system% (usually C:\Windows\system32\)
- %ProgramFiles% (usually C:\Program Files\)
- Files in shared folders
- Files on removable media, remote (network) disks and virtual disks (RAM), files prepared for the copying of CDs
- The following files that certain registry keys contain links to:
Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Software\Microsoft\Internet Explorer\Extensions Software\Microsoft\Internet Explorer\UrlSearchHooks Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approv Software\Classes\Directory\ShellEx\ContextMenuHandlers Software\Classes\Folder\ShellEx\ContextMenuHandlers SOFTWARE\Classes\Protocol\Filter SOFTWARE\Microsoft\Windows\CurrentVersion\Run SOFTWARE\Classes\Applications SOFTWARE\Clients\StartMenuInternet SOFTWARE\Microsoft\Multimedia SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
It attempts to connect to remote control servers indicated in the virus body. If server connections cannot be established, it attempts to connect to servers whose domain names are generated by the virus following a certain algorithm. The virus can download additional encrypted modules from the control server, which are then executed in the infected system.
Please note
Several variants of this virus are known to exist. This description was written for a version current in August 2011.
Removal instructions
If your computer does not have an up-to-date antivirus solution, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
- Delete the original infected file (the location will depend on how the program originally penetrated the victim machine).
- Perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).
Viruses replicate on the resources of the local machine.
Unlike worms, viruses do not use network services to propagate or penetrate other computers. A copy of a virus will reach remote computers only if the infected object is, for some reason unrelated to the virus function, activated on another computer. For example:
- when infecting accessible disks, a virus penetrates a file located on a network resource
- a virus copies itself to a removable storage device or infects a file on a removable device
- a user sends an email with an infected attachment.
Virus.
- File was not downloaded for scan (ClamAV)
- BC.
W32. Xpaj (ClamAV) - Virus:
Win32/Xpaj. gen!C (MS(OneCare)) - File was not downloaded for scan (DrWeb)
- Win32.
Xpaj. 1 (DrWeb) - Win32.
XPaj. D. 1 (BitDef7) - Win32.
Xpaj. Gen (VirusBuster) - Virus.
Win32. Xpaj (Ikarus) - Win32/Xpaj (AVG)
- W32/XPaj.
C (AVIRA) - XPaj.
B/C/D!gs (Norman) - Win32.
XPaj. D. 1 [Aquarius] (FSecure) - PE_XPAJ.
A (TrendMicro) - Virus.
Win32. Xpaj. A (v) (Sunbelt) - Win32.
Xpaj. Gen (VirusBusterBeta) - W32/Xpaj.
fam (Fortinet) - Win32.
XPaj. D. 1 (GData)
© 1997-2013 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.
The authors' opinions do not necessarily reflect the official positions of Kaspersky Lab.