Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Infects files, Dropped by other malware, Downloaded from the Internet
The XPAJ family of file infectosr has been known since 2009. Its main purpose is to redirect infected users to click fraud, generating profit for its makers. It has gained capability to spread via mapped drives or shared folders, greatly improving its infection rate.
Some XPAJ file infectors infect the Master Boot Record (MBR) of an infected computer. This capability enables XPAJ to start even before the operating system loads as the infected computer starts up.
To ensure that its servers are online, XPAJ generates 197 URLs to achieve 24/7 uptime, which means continuous cash flow for its perpetrators.
This file infector arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Yes
Click fraud
Arrival Details
This file infector arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Autostart Technique
This file infector drops the following files:
(Note: %Windows% is the Windows folder, which is usually C:\Windows.)
Process Termination
This file infector terminates the following processes if found running in the affected system's memory:
Other Details
This file infector connects to the following URL(s) to check for an Internet connection:
It connects to the following possibly malicious URL:
NOTES:
This file infector infects files with the following file extensions by inserting code in the said files:
It infects the Master Boot Record of the affected system in order to perform the following routines:
It also generates 197 URLs to connect to via Domain Generation Algorithm.
The modified MBR is detected as BOOT_XPAJ.SM.