- Threat Encyclopedia
- Malware
- PE_XPAJ.C-O
W32.Xpaj.B (Symantec); Virus:Win32/Xpaj.gen!A (Microsoft )
Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows 7
Infects files, Dropped by other malware, Downloaded from the Internet
This file infector is part of a malware family that has affected users in Australia and several other countries on October 2012. Besides infecting files, it also infects the affected system's (MBR) Master Boot Record in order to automatically load itself at system startup, making removal difficult.
To get a one-glance comprehensive view of the behavior of this File infector, refer to the Threat Diagram shown below.
This file infector arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It infects the Master Boot Record of the affected system.
It connects to certain websites to send and receive information.
224,256 bytes
EXE
Yes
24 Apr 2012
Connects to URLs/IPs, Click fraud
Arrival Details
This file infector arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This file infector drops the following files:
(Note: %Windows% is the Windows folder, which is usually C:\Windows.)
File Infection
This file infector infects the following file types:
It infects the Master Boot Record of the affected system in order to perform the following routines:
Other Details
This file infector connects to the following URL(s) to check for an Internet connection:
It connects to the following website to send and receive information:
NOTES:
The main payload of this file infector is related to advertising and ad-clicking scam to generate revenue.
This file infector also runs in 64-bit versions of Windows.
It also generates 197 URLs to connect to using a Domain Generation Algorithm.
9.300
9.497.00
31 Oct 2012
Step 1
Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.
Step 2
Identify files detected as PE_XPAJ.C-O, then restore the Master Boot Record and delete malware files using Recovery Console
• On Windows Vista and 7 systems:
Step 3
Search and delete this file
Step 4
Scan your computer with your Trend Micro product to delete files detected as PE_XPAJ.C-O. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Step 5
Restore your system's Master Boot Record (MBR)
To restore your system's Master Boot Record (MBR):
• On Windows 2000, XP, and Server 2003:
• On Windows Vista and 7:
NOTES:
Trend Micro Rescue Disk scans and cleans systems infected with XPAJ variants.
For further instructions on how to use this tool, you may refer to the Rescue Disk Instruction Page.