(Virus.Win32.Xorer, Virus:Win32/Xorer, Win32.HLLP.Rox, W32/Xorer, W32.Pagipef, TROJ_PAGIPEF, TR/Xorer)
Symptoms
Presence of specified processes, files and registry keys.
Removal instructions:
Please let BitDefender disinfect your files.
Analyzed By
Dan Anton, virus researcher
Technical Description:
Win32.Xorer is a worm that spreads through removable drives or shared network drives.
When executed:
- it creates the following files:
- %root%\NetApi000.sys - detected as Rootkit.Xorer.A
- %root%\autorun.inf - detected as Trojan.Harning.WA
- %root%\pagefile.pif
- %root%\[random-nr].log
- %system%\[random-nr].log
- %system%\dnsq.dll
- %system%\Com\lsass.exe
- %system%\Com\netcfg.000
- %system%\Com\netcfg.dll
- %system%\Com\smss.exe
All of these are detected as a variant of Win32.Xorer
- it starts the following processes:
- %system%\Com\lsass.exe
- %system%\Com\smss.exe
- deletes the following registry keys: (in order to prevent start-up programs and safe-boot from running properly)
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
- HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}
- adds the following registry entries:
HKLM\SYSTEM\CurrentControlSet\Services\NetApi000 (registered by
%root%\NetApi000.sys)
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"
ShowSuperHidden" = "0"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden"
Type" = "radio"
- checks internet connection, executing:
ping.exe -f -n 1 www.baidu.com- quits all processes which have windows containg the following strings by sending
TerminateProcess() to the processes or
VM_QUERYENDSESSION,
WM_ENDSESSION,
WM_DESTROY messages to the processes' window.
- 360anti
- 360safe
- afx:
- AfxControlBar42s
- antivir
- arp
- avast
- avg
- bitdefender
- cabinetwclass
- dr.web
- escan
- eset
- ewido
- facelesswndproc
- firewall
- ieframe
- kv
- mcafee
- mcagent
- metapad
- monitor
- mozillauiwindowclass
- SREng
- tapplication
- thunderrt6formdc
- thunderrt6main
- ThunderRT6Timer
- writes on every removable drive or network share the following files, in order to spread itself:
%root%\autorun.inf
%root%\pagefile.pifThe file
%system%\dnsq.dll, injected in all processes that have user32.dll imports, hooks the following API's:
OpenProcess, CloseHandle, EnumProcessModules, in order to prevent suspending or killing any of the virus' processes and, thus, to make it difficult to remove.
SHARE
THIS ON