Threat behavior
Virus:Win32/Xorer.gen!B.dll is a detection for the DLL component dropped by several variants of the Xorer family. It performs various system modifications to facilitate infection by Xorer viruses.
Installation
Virus:Win32/Xorer.gen!B.dll may arrive in the system with various file names. It modifies the system registry so that it is loaded in all DLL files:
Adds value: "AppInit_DLLs"
With data: "<malware file>.dll"
To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Payload
Modify System Settings
This virus component modifies the following system settings as part of the overall Xorer threat event.
- Disable system startup in Safe Mode and Safe Mode with Networking, by deleting the following registry keys:
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
- Delete additional registry keys, which are related to program debugging, group policy, and program execution:
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Image File Execution\Options
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects
HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- Modify system settings for handling files with the Hidden attribute by creating the following registry entries:
Adds value: "ShowSuperHidden"
With data: "0"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Adds value: "Type"
With data: "radio"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden
- Enable Autorun for all drive types:
Adds value: "NoDriveTypeAutoRun"
With data: "91"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Analysis by Dan Kurc
Prevention