Win32/Xorer [Threat Name] go to Threat

Win32/Xorer.BU [Threat Variant Name]

Category virus
Size 102400 B
Aliases Virus.Win32.Xorer.bu (Kaspersky)
  Downloader (Symantec)
  W32/Fujacks (McAfee)
Short description

Win32/Xorer.BU is a file infector.


When executed, the virus drops one of the following files in the %system%\com\ folder:

  • netcfg.000 (45056 B)
  • netcfg.dll (45056 B)
  • lsass.exe (102400 B)
  • smss.exe (9525 B)

The following file is dropped into the %startup% folder:

  • ~.exe (102400 B)

The following Registry entries are removed:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet001\­Control\­SafeBoot\­Minimal\­{4D36E967-E325-11CE-BFC1-08002BE10318}]
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Control\­SafeBoot\­Minimal\­{4D36E967-E325-11CE-BFC1-08002BE10318}]
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet001\­Control\­SafeBoot\­Network\­{4D36E967-E325-11CE-BFC1-08002BE10318}]
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Control\­SafeBoot\­Network\­{4D36E967-E325-11CE-BFC1-08002BE10318}]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options]

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced\­Folder\­SuperHidden]
    • "Type" = "radio"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer]
    • "NoDriveTypeAutorun" = 91
Executable file infection

Win32/Xorer.BU is a prepending virus .

The virus searches for executables with one of the following extensions:

  • .exe

The size of the inserted code is 204808 B .

It infects the following files:

  • *htm
  • *tml
  • *.js

The virus inserts a/an JavaScript element with an URL link into the file.


The virus copies itself into the root folders of all drives using the following name:

  • pagefile.pif (102400 B)

The following file is dropped in the same folder:

  • autorun.inf

Thus, the virus ensures it is started each time infected media is inserted into the computer.

Other information

The virus can download a file from the Internet. The virus contains a list of (2) URLs. The HTTP protocol is used.

The virus terminates any program that creates a window containing any of the following strings in its name:

  • asm
  • ollydbg
  • ida
  • softice
  • tapplication
  • 360
  • ##vso##

The virus deletes files, that contain one of the following strings in their name:

  • 360

Please enable Javascript to ensure correct displaying of this content and refresh this page.