Win32/Xorer [Threat Name] go to Threat
Win32/Xorer.BU [Threat Variant Name]
Category | virus |
Size | 102400 B |
Aliases | Virus.Win32.Xorer.bu (Kaspersky) |
Downloader (Symantec) | |
W32/Fujacks (McAfee) |
Short description
Win32/Xorer.BU is a file infector.
Installation
When executed, the virus drops one of the following files in the %system%\com\ folder:
- netcfg.000 (45056 B)
- netcfg.dll (45056 B)
- lsass.exe (102400 B)
- smss.exe (9525 B)
The following file is dropped into the %startup% folder:
- ~.exe (102400 B)
The following Registry entries are removed:
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}]
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
The following Registry entries are set:
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden]
- "Type" = "radio"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
- "NoDriveTypeAutorun" = 91
Executable file infection
Win32/Xorer.BU is a prepending virus .
The virus searches for executables with one of the following extensions:
- .exe
The size of the inserted code is 204808 B .
It infects the following files:
- *htm
- *tml
- *.js
The virus inserts a/an JavaScript element with an URL link into the file.
Spreading
The virus copies itself into the root folders of all drives using the following name:
- pagefile.pif (102400 B)
The following file is dropped in the same folder:
- autorun.inf
Thus, the virus ensures it is started each time infected media is inserted into the computer.
Other information
The virus can download a file from the Internet. The virus contains a list of (2) URLs. The HTTP protocol is used.
The virus terminates any program that creates a window containing any of the following strings in its name:
- asm
- ollydbg
- ida
- softice
- tapplication
- 360
- ##vso##
The virus deletes files, that contain one of the following strings in their name:
- 360