BOOT_XPAJ


 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: File infector

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Infects files, Dropped by other malware, Downloaded from the Internet


The XPAJ family of file infectosr has been known since 2009. Its main purpose is to redirect infected users to click fraud, generating profit for its makers. It has gained capability to spread via mapped drives or shared folders, greatly improving its infection rate.

Some XPAJ file infectors infect the Master Boot Record (MBR) of an infected computer. This capability enables XPAJ to start even before the operating system loads as the infected computer starts up.

To ensure that its servers are online, XPAJ generates 197 URLs to achieve 24/7 uptime, which means continuous cash flow for its perpetrators.

This file infector arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

  TECHNICAL DETAILS

Memory Resident:

Yes

Payload:

Click fraud

Arrival Details

This file infector arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Autostart Technique

This file infector drops the following files:

  • %Windows%\{random file name}.{random 3 letters} - minimum of 9 files

(Note: %Windows% is the Windows folder, which is usually C:\Windows.)

Process Termination

This file infector terminates the following processes if found running in the affected system's memory:

  • avp.exe
  • avgnt.exe
  • avguard.exe
  • sched.exe
  • avastui.exe
  • ccsvchst.exe
  • avgcsrvx.exe
  • avgnsx.exe
  • avgrsx.exe
  • avgtray.exe
  • avgwdsvc.exe
  • egui.exe

Other Details

This file infector connects to the following URL(s) to check for an Internet connection:

  • microsoft.com

It connects to the following possibly malicious URL:

  • {BLOCKED}.{BLOCKED}.162.208
  • {BLOCKED}.{BLOCKED}.152.218
  • {BLOCKED}.{BLOCKED}.71.249
  • {BLOCKED}.{BLOCKED}.60.108
  • {BLOCKED}.{BLOCKED}.123.153
  • {BLOCKED}.{BLOCKED}.132.25
  • {BLOCKED}.{BLOCKED}.183.224
  • {BLOCKED}.{BLOCKED}.204.90
  • {BLOCKED}iok.info
  • {BLOCKED}c.com
  • {BLOCKED}v.com
  • {BLOCKED}tss.info
  • {BLOCKED}ifhrf.net
  • {BLOCKED}kowab.ru
  • {BLOCKED}elertiong.com
  • {BLOCKED}andraeffect.com
  • {BLOCKED}xw.ru
  • {BLOCKED}naf.ru
  • {BLOCKED}ppsfm.org
  • {BLOCKED}r.info
  • {BLOCKED}bkxfn.biz
  • {BLOCKED}hpte.com
  • {BLOCKED}e.ru
  • {BLOCKED}fbxrzn.com
  • {BLOCKED}etobob.biz
  • {BLOCKED}mullpy.info
  • {BLOCKED}th.info
  • {BLOCKED}medescriptor.com
  • {BLOCKED}sncki.info
  • {BLOCKED}hyjku.net
  • {BLOCKED}mpyzh.net
  • {BLOCKED}hez.com
  • {BLOCKED}knddy.com
  • {BLOCKED}vaweonearch.com
  • {BLOCKED}qyhqtb.org
  • {BLOCKED}gnfvhz.ru
  • {BLOCKED}l.ru
  • {BLOCKED}cut.biz
  • {BLOCKED}pq.info
  • {BLOCKED}eucnd.biz
  • {BLOCKED}o.net
  • {BLOCKED}ront.net
  • {BLOCKED}rando.com
  • {BLOCKED}minestar.org
  • {BLOCKED}sysho.com
  • {BLOCKED}niolosto.com
  • {BLOCKED}usiceditior.com