Win32/Xorer [Threat Name] go to Threat

Win32/Xorer.BU [Threat Variant Name]

Win32/Xorer.BU is a file infector.

When executed, the virus drops one of the following files in the %system%\com\ folder:

The following file is dropped into the %startup% folder:

The following Registry entries are removed:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]

The following Registry entries are set:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden]
- "Type" = "radio"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
- "NoDriveTypeAutorun" = 91

Win32/Xorer.BU is a prepending virus .

The virus searches for executables with one of the following extensions:

The size of the inserted code is 204808 B .

It infects the following files:

The virus inserts a/an JavaScript element with an URL link into the file.

The virus copies itself into the root folders of all drives using the following name:

The following file is dropped in the same folder:

Thus, the virus ensures it is started each time infected media is inserted into the computer.

The virus can download a file from the Internet. The virus contains a list of (2) URLs. The HTTP protocol is used.

The virus terminates any program that creates a window containing any of the following strings in its name:

The virus deletes files, that contain one of the following strings in their name: