Win32.Xorer

( Virus.Win32.Xorer, Virus:Win32/Xorer, Win32.HLLP.Rox, W32/Xorer, W32.Pagipef, TROJ_PAGIPEF, TR/Xorer )
Spreading: medium
Damage: medium
Size: ~ 100 kB
Discovered: 2008 May 23

SYMPTOMS:

Presence of specified processes, files and registry keys.

TECHNICAL DESCRIPTION:

Win32.Xorer is a worm that spreads through removable drives or shared network drives.

When executed:

- it creates the following files:
  • %root%\NetApi000.sys - detected as Rootkit.Xorer.A
  • %root%\autorun.inf - detected as Trojan.Harning.WA
  • %root%\pagefile.pif
  • %root%\[random-nr].log
  • %system%\[random-nr].log
  • %system%\dnsq.dll
  • %system%\Com\lsass.exe
  • %system%\Com\netcfg.000
  • %system%\Com\netcfg.dll
  • %system%\Com\smss.exe
All of these are detected as a variant of Win32.Xorer

- it starts the following processes:
  • %system%\Com\lsass.exe
  • %system%\Com\smss.exe
- deletes the following registry keys: (in order to prevent start-up programs and safe-boot from running properly)
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}
- adds the following registry entries:

HKLM\SYSTEM\CurrentControlSet\Services\NetApi000 (registered by %root%\NetApi000.sys)

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
"ShowSuperHidden" = "0"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden
"Type" = "radio"

- checks internet connection, executing:

ping.exe -f -n 1 www.baidu.com

- quits all processes which have windows containg the following strings by sending TerminateProcess() to the processes or VM_QUERYENDSESSION, WM_ENDSESSION, WM_DESTROY messages to the processes' window.
  • 360anti
  • 360safe
  • afx:
  • AfxControlBar42s
  • antivir
  • arp
  • avast
  • avg
  • bitdefender
  • cabinetwclass
  • dr.web
  • escan
  • eset
  • ewido
  • facelesswndproc
  • firewall
  • ieframe
  • kv
  • mcafee
  • mcagent
  • metapad
  • monitor
  • mozillauiwindowclass
  • SREng
  • tapplication
  • thunderrt6formdc
  • thunderrt6main
  • ThunderRT6Timer
- writes on every removable drive or network share the following files, in order to spread itself:

%root%\autorun.inf
%root%\pagefile.pif

The file %system%\dnsq.dll, injected in all processes that have user32.dll imports, hooks the following API's:
OpenProcess, CloseHandle, EnumProcessModules, in order to prevent suspending or killing any of the virus' processes and, thus, to make it difficult to remove.

Removal instructions:

Please let BitDefender disinfect your files.

ANALYZED BY:

Dan Anton, virus researcher