Virus.Win32.Xpaj

The virus infects files stored in the folders:

• %system% (usually C:Windowssystem32)
• %ProgramFiles% (usually C:Program Files)
• Files in shared folders
• Files on removable media, remote (network) disks and virtual disks (RAM), files prepared for the copying of CDs
• The following files that certain registry keys contain links to:

  SoftwareMicrosoftWindowsCurrentVersionExplorerBrowser Helper SoftwareMicrosoftInternet ExplorerExtensions SoftwareMicrosoftInternet ExplorerUrlSearchHooks SoftwareMicrosoftWindowsCurrentVersionShell ExtensionsApprov SoftwareClassesDirectoryShellExContextMenuHandlers
  
  
  
  SoftwareClassesFolderShellExContextMenuHandlers
  
  
  
  SOFTWAREClassesProtocolFilter
  
  
  
  SOFTWAREMicrosoftWindowsCurrentVersionRun
  
  
  
  SOFTWAREClassesApplications
  
  
  
  SOFTWAREClientsStartMenuInternet
  
  
  
  SOFTWAREMicrosoftMultimedia
  
  
  
  SOFTWAREMicrosoftWindowsCurrentVersionApp Paths SOFTWAREMicrosoftWindowsCurrentVersionUninstall

If the file does not satisfy certain conditions, e.g. it is protected with SFC, is will not be infected.

It attempts to connect to remote control servers indicated in the virus body. If server connections cannot be established, it attempts to connect to servers whose domain names are generated by the virus following a certain algorithm.

The virus can download additional encrypted modules from the control server, which are then executed in the infected system.

Please note

Several variants of this virus are known to exist. This description was written for a version current in August 2011.