Virus:Win32/Xorer.R is a specific variant of the Xorer family of file infectors. It is a slow file infector, meaning that it lets a certain period of time pass between infecting files. It has worm capabilities by dropping copies of itself in writable drives. It also has rootkit components that enable it to avoid detection in an infected computer.
Installation
Upon execution, Virus:Win32/Xorer.R may do the following:
- Copy itself to the Windows system folder of the first hard disk drive (usually "C:\Windows\system32\") as the file "winc.exe"
- Create a copy of itself to the Windows system folder as the file "<random number>.log"
- Create the file "dnsq.dll" in the Windows system folder; this file is detected as Virus:Win32/Xorer.E
- Create the folder "<system folder>\Com", and create the following files within that folder:
Note that legitimate Windows files named "lsass.exe" and "smss.exe" exist, and are usually located in the Windows system folder.
Note - <system folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the system folder for Windows 2000 and NT is C:\Winnt\System32; and for Windows XP/Vista/7 is C:\Windows\System32.
It creates a mutex to ensure that only one copy of itself is running in memory at any given time. One mutex name this variant has been known to use is "c<malware file name>".
Spreads via
File infection
Virus:Win32/Xorer.R is a slow-infecting virus, meaning that it waits for a certain amount of time to pass between infecting files. It encrypts and then prepends its virus code to the original file. This potentially makes it harder to restore the original file.
It also runs the archiving program Winrar, if installed in the computer, in an attempt to infect executables located in archived files.
Removable drives
Virus:Win32/Xorer.R also spreads by dropping copies of itself in all fixed and removable drives as the file "pagefile.pif". To enable its copy to run every time the drive is accessed (for example, when a removable drive is transferred from one computer to another), this virus also drops the file "autorun.inf" pointing to its copy.
Payload
Modifies computer settings
Virus:Win32/Xorer.R does the following changes to your computer's settings:
Disables startup in Safe Mode and Safe Mode with Networking, by deleting the following registry keys:
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
Deletes additional registry keys, which are related to program debugging, group policy, and program execution:
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Image File Execution\Options
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects
HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Modifies system settings for handling files with the "Hidden" attribute by creating the following registry entries:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Sets value: "ShowSuperHidden"
With data: "0"
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden
Sets value: "Type"
With data: "radio"
Enables "Autorun" for all drive types:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Sets value: "NoDriveTypeAutoRun"
With data: "91"
Installs a rootkit service
Virus:Win32/Xorer.R drops the file "netapi000.sys" in the root of each writeable drive. It also installs this file as a service by creating the following registry key:
HKLM\SYSTEM\CurrentControlSet\Services\NetApi000
This is a rootkit driver file and is used by the virus to avoid detection.
Connects to certain websites
Virus:Win32/Xorer.R may modify stored web pages by adding code that links to the website "js.k0102.com". This means that if you open a stored web page, your browser connects to the website, which may download and install arbitrary files.
It may also connect to different webpages within the site "f.gxlgdx.com".
Terminate security processes
Virus:Win32/Xorer.R may terminate certain security-related processes by checking if the process names have any of the following strings:
- avp
- guard
- kmailmon
- kv
- rav
- scan
- twister
- watch
Analysis by Edgardo Diaz
