Virus.Win32.Xpaj.A

by alexander.adamov on July 24th, 2012 in Malware Descriptions.

Platform: Win32
Type: Trojan
Size: 224256 bytes
Packer: PECompact
Unpacked size: 340 Kb
Language: C++

Summary

Virus.Win32.Xpaj.a is a Trojan program which possesses bootkit and virus-like features as well as backdoor features. 

Technical Details

Installation

Once launched, the Trojan modifies MBR (Master Boot Record) which is executed when the PC is turned on. The Trojan stores the original MBR, its malicious code and additional data encrypted on the last drive sectors. The data can be identified using the «ARCH» signature:

The Trojan has the following icon:

Payload

The Trojan interacts with the host in the network and receives encrypted instructions from it:

nortiniolosto.com

The Trojan receives the encrypted malicious code and stores it in the Windows folder among files with random names. The code is executed on the system.

The Trojan infects 32-bit executable files by considering certain factors. For example, these are files stored in the %ProgramFiles% and %System% folders and are not protected by System File Checker (SFC).

The virus body is written before the resource section by shifting it, and the entry point is redirected to it. Infected files are detected as Virus.Win32.Xpaj.A (v).

The Trojan notifies when processes are created and the PsCreateProcessNorifyRoutine, PsLoadImageNotifyRoutine modules are loaded; it uses the entry point address to insert the code which ends the process. Thus, the Trojan ends processes associated with some antivirus programs.

To hide a bootkit and its data, the Trojan intercepts the NTReadFile and NTWriteFile functions on the last drive sectors.

Removal Recommendations

  1. Run a full scan of your computer using the Antivirus program with the updated definition database (Download Ad-Aware Free).