Virus:Win32/Xorer.gen!A is a generic detection for a family of viruses that infect EXE files. It can spread via file infection, and also by creating copies of itself in each writable drive.
Installation
Upon execution, Virus:Win32/Xorer.gen!A may do the following, depending on the variant:
Copy itself to the root folder of the first hard disk drive (usually C:) as the file
037589.log.
Create the file
%random%.log to the Windows system folder; this file is detected as
Virus:Win32/Xorer.gen!B (where %random% is a random number).
Create the folder <system folder>\Com, and create the following files within that folder:
Note that legitimate Windows files named lsass.exe and smss.exe exist, and are usually located in the Windows system folder.
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
It creates a mutex to ensure that only one copy of itself is running in memory at any given time. The mutex name varies depending on variant; one mutex it has been known to use is xcgucvnzn.
Spreads Via...
File Infection
Virus:Win32/Xorer.gen!A infects EXE files slowly; that is, this virus avoids infecting a large number of files within a short period of time to avoid detection.
It encrypts a target EXE file, and prepends its virus code to the file to infect it. Encrypting the target file potentially makes it more difficult to remove the virus.
It may also run the archive program WinRAR in an attempt to infect executables located within RAR and ZIP archives.
Logical Drives
Virus:Win32/Xorer.gen!A also spreads by dropping copies of itself in all fixed and removable drives as the file pagefile.pif. To enable its copy to run every time the drive is accessed (for example, when a removable drive is transferred from one system to another), this virus also drops the file autorun.inf.
Payload
Upon execution, Virus:Win32/Xorer.gen!A may do the following, depending on the variant:
Modify System Settings
Disable system startup in Safe Mode and Safe Mode with Networking, by deleting the following registry keys:
- HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}
- HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}
- HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
- HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
Delete additional registry keys, which are related to program debugging, group policy, and program execution:
- HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Image File Execution\Options
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects
- HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Modify system settings for handling files with the Hidden attribute by creating the following registry entries:
Adds value: "ShowSuperHidden"
With data: "0"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Adds value: "Type"
With data: "radio"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden
Enable Autorun for all drive types:
Adds value: "NoDriveTypeAutoRun"
With data: "91"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Install the NetApi000 service by adding the following registry subkey:
HKLM\SYSTEM\CurrentControlSet\Services\NetApi000
Connect to Certain Websites
Virus:Win32/Xorer.gen!A may modify stored web pages by adding scripting code that links to certain websites, depending on the variant. This ensures that if a user opens a stored web page, a connection to the website is made, possibly allowing the system to download and install arbitrary programs from that website.
This virus may also connect directly to different pages within the website jj.gxgxy.net, depending on the Xorer variant.
It may also check if an Internet connection is available by connecting to the website baidu.com.
Terminate Security Processes
Virus:Win32/Xorer.gen!A may terminate certain security processes. The processes that are terminated depend on the Xorer variant.
Analysis by Patrik Vicol
