My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Xorer.EK

VERY LOW
LOW
32 KB

Symptoms

- Unusual computer behavior (slowdowns, advertising sites displayed in browsers)
- files increase in size by appreciative 64 KB
- Presence of the file "~.pif" inside documents and settings\[user-name]\Start Menu\Programs\Startup
- Presence of an autorun.inf file inside root directories of drives, pointing to a hidden file named "pagefile.pif"

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Lutas Andrei Vlad, virus researcher

Technical Description:

This is a prepender virus, meaning that the infection technique doesn't involve directly modifying the host program and append its code/data to it, but merely to append the entire host executable in its overlay. This virus also "steals" the hosts' icon, so apparently, there will be no differences between the original and the infected file.
When first executed, the virus will execute the host, by dropping its original executable, as a hidden file, named [original-file-name].~tmp. After the host terminates execution, the virus will try to make a copy of itself inside:
%system%\drivers\lsass.exe. If it succeeds, it will execute this fresh copy, and continue execution there. If it fails to create the copy, it will assume that it has already infected the system and it is active in memory.

When the new copy is executed, it will create 4 internal timers (special functions that are executed after a fixed period of time is elapsed):
o Timer 1, which will be executed every 1 second (1000 ms), will be responsible for constantly checking the existence of the file documents and settings\[user-name]\Start Menu\Programs\Startup\~.pif (which is a copy of the virus). If the file doesn't exist,  either it hasn't created it yet, either it was deleted; in either case, it will simply re-create it. Also, it will enumerate all drives, infect them by creating a new copy of itself inside the root as "pagefile.pif", and an autorun.inf that will point  to it. This timer will also execute the infection routine (which will be discussed in more detail).
o Timer 2, which will get executed every 15 seconds, will see if there is a window which's class name is "IEFrame" (it belongs to Internet Explorer);  if it finds it, it will redirect to various advertising or infected sites.
o Timer 3 (every 2 and a half hours) will have similar actions with Timer 2, but in addition, it will create a new instance of Internet Explorer which will be redirected to various advertising/infected sites.
o Timer 4 (every minute) is similar with Timer 3.

Infection technique
As already mentioned, this is a prepender (it appends the host to a copy of itself). The virus will search for .exe files on every fixed drive. When it finds one, it will make a copy of it as [original-name].p. It will write the viral body in the original file, retrieve the the icon of the original program and write it inside the viral resource-section, write 8 bytes in the overlay (including the size of the host),  then it will append the host program and another copy of itself. After the infection is done, the infected file will differ from the original only by size (~64 KB).