Virus.Win32.Xpaj

Detect Date 07/10/2012
Class Virus
Platform Win32
Description

The virus infects files stored in the folders:

  • %system% (usually C:Windowssystem32)
  • %ProgramFiles% (usually C:Program Files)
  • Files in shared folders
  • Files on removable media, remote (network) disks and virtual disks (RAM), files prepared for the copying of CDs
  • The following files that certain registry keys contain links to:
    SoftwareMicrosoftWindowsCurrentVersionExplorerBrowser Helper SoftwareMicrosoftInternet ExplorerExtensions SoftwareMicrosoftInternet ExplorerUrlSearchHooks SoftwareMicrosoftWindowsCurrentVersionShell ExtensionsApprov SoftwareClassesDirectoryShellExContextMenuHandlers
    
    
    
    SoftwareClassesFolderShellExContextMenuHandlers
    
    
    
    SOFTWAREClassesProtocolFilter
    
    
    
    SOFTWAREMicrosoftWindowsCurrentVersionRun
    
    
    
    SOFTWAREClassesApplications
    
    
    
    SOFTWAREClientsStartMenuInternet
    
    
    
    SOFTWAREMicrosoftMultimedia
    
    
    
    SOFTWAREMicrosoftWindowsCurrentVersionApp Paths SOFTWAREMicrosoftWindowsCurrentVersionUninstall

If the file does not satisfy certain conditions, e.g. it is protected with SFC, is will not be infected.

It attempts to connect to remote control servers indicated in the virus body. If server connections cannot be established, it attempts to connect to servers whose domain names are generated by the virus following a certain algorithm.

The virus can download additional encrypted modules from the control server, which are then executed in the infected system.

Please note

Several variants of this virus are known to exist. This description was written for a version current in August 2011.