You may inadvertently download and run Virus:Win32/Xpaj, thinking it is a certain program such as a key generator.
In the wild, we have observed the virus using the following icon to make itself appear as a program:
It may also arrive on your computer via a drive-by download.
When run, the virus infects files on your computer and on removable and network drives.
When those files are opened (either by yourself or during the normal operation of your computer), the virus code is run again and infects yet more files, thus ensuring the virus is continuously running and infecting files.
Virus:Win32/Xpaj targets files in the <system folder> and %ProgramFiles% folders and their subfolders. It creates a list of all files with the following extensions and randomly chooses files to infect from that list:
Note: <system folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the System folder for Windows 2000 and NT is "C:\WinNT\System32"; and for XP, Vista, 7, and 8 it is "C:\Windows\System32".
Note: %ProgramFiles% refers to a variable location that is determined by the malware by querying the operating system. The default location for the Program Files folder for Windows 2000, XP, 2003, Vista, 7, and 8 is "C:\Program Files".
Virus:Win32/Xpaj copies a chosen file to the %TEMP% folder with a temporary file name (for example, "%TEMP%/<hexadecimal value>.tmp"). The virus infects this copy of the file, and then overwrites the original file with the infected copy.
During the process of file infection, the virus deletes the temporary file; therefore, no clean copies of the original files remain in %TEMP%.
Note: %TEMP% refers to a variable location that is determined by the malware by querying the operating system. The default location for the All Users Profile folder for Windows 2000, XP, and 2003 is "C:\DOCUME~1\<user>\LOCALS~1\Temp". For Windows Vista, 7 and 8, the default location is "C:\Users\<user name>\AppData\Local\Temp".
Virus:Win32/Xpaj does not infect protected Windows files.
Removable and network drives
Virus:Win32/Xpaj infects files in removable and network drives, using the same method as it uses for infecting local files.
It also places an autorun.inf file in the root directory of the targeted drive. Such autorun.inf files contain instructions for the operating system so that when the removable drive is accessed from another computer supporting the Autorun feature, the malware is launched automatically.
This is particularly common malware behavior, generally used in order to spread malware from computer to computer.
It should be noted that autorun.inf files on their own are not necessarily a sign of infection, as they are used by legitimate programs and installation media.
Downloads arbitrary files
Virus:Win32/Xpaj connects to a remote server to report infection and receive instructions, including the command to download arbitrary files which may be detected as other malware. This malware may be related to online "click-fraud" where your Internet browser is redirected to malicious URLs.
At the time of analysis, the servers the virus attempts to connect to were not available. Therefore, we are unable to verify the files the virus downloads.
The server the virus connects to is hardcoded in the virus's code, we have observed the virus attempting to connect to "74.72.<removed>.125" ("nortiniolosto.com").
If it cannot connect to the remote server, it will generate URLs and attempt to connect to them, for example:
The virus downloads the arbitrary files to the %windir% directory with a random file name, for example "rafm.fph".
Note: %windir% refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the Windows folder for Windows 2000 and NT is "C:\WinNT"; and for XP, Vista, 7, and 8 it is "C:\Windows".
Infects the master boot record
Some variants of Virus:Win32/Xpaj infect the MBR (master boot record) with their own malicious copy in an attempt to hinder detection and removal of the virus. The malicious MBR is detected as Trojan:DOS/Xpaj.A and Trojan:DOS/Xpaj.B.
Modifying the MBR allows the virus to load before Windows, thus giving it greater control over your system.
The virus initially creates a file in the %windir% directory with a file name in the format <random letters>.<random letters>, for example "sqna.oci".
The virus uses this file as an infection marker.
Related encyclopedia entries
Analysis by Rodel Finones