Xorer

Page

Threat behavior

Virus:Win32/Xorer.X is a detection for a specific variant of the Xorer family of file infectors. It is a slow file infector, meaning that it lets a certain period of time pass between infecting files. It has worm capabilities by dropping copies of itself in writeable drives. It also has rootkit components that enable it to avoid detection in an infected system.

Installation

Upon execution, Virus:Win32/Xorer.X creates the subfolder %windir%\system32\Com and creates the following files

<first hard disk:>\037589.log – Virus:Win32/Xorer.X
<first hard disk:>\pagefile.pif – Virus:Win32/Xorer.X <first hard disk:>\netapi000.sys – Virus:Win32/Xorer.H
%windir%\system32\dnsq.dll – Vius:Win32/Xorer.gen!dll
%windir%\system32\<GetTickCount()>.log – Virus:Win32/Xorer.X %windir%\system32\com\lsass.exe – Virus:Win32/Xorer.X %windir%\system32\com\smss.exe – Virus:Win32/Xorer.O
%windir%\system32\com\netcfg.000 – Virus:Win32/Xorer.E
%windir%\system32\com\netcfg.dll – Virus:Win32/Xorer.E

The variable “GetTickCount()” is a variable number and references the amount of time in milliseconds since the computer was started, i.e. “664948.log”. Note that legitimate Windows files named lsass.exe and smss.exe exist, and are usually located in the Windows system folder. The virus sets it’s priority class to ‘IDLE_PRIORITY_CLASS‘ in order to execute when the computer is idle. It then attempts to find Windows with the classname and Windowname: “XOR“, “MSCTFIME SMSS“. If located, the virus terminates both itself and the window with the classname and Windowname “#32770“,”MCI Program Com Application“. It then sets it’s own Window text to “MCI Program Com Application“. Virus:Win32/Xorer.X creates a mutex to ensure that only one copy of itself is running in memory at any given time. The mutex name is created from the path and file name of the virus without format characters such that ‘c:\path\program.exe‘ becomes ‘cprogramexe‘.

Spreads Via…

File infection Virus:Win32/Xorer.X is a slow-infecting virus, meaning that it waits for a certain amount of time to pass between infecting files. It encrypts and then prepends its virus code to the original file. This potentially makes it harder to restore the original file. It also runs the archiving program Winrar, if found, in an attempt to infect executables located in archived files.


Removable drives Virus:Win32/Xorer.X also spreads by dropping copies of itself in all fixed and removable drives as the file pagefile.pif. To enable its copy to run every time the drive is accessed (for example, when a removable drive is transferred from one system to another), this virus also drops the file autorun.inf.

Payload

Upon execution, Virus:Win32/Xorer.X may do the following, depending on the variant:

Modify system settings

  • Disable system startup in Safe Mode and Safe Mode with Networking, by deleting the following registry keys:
    HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}
    HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}
    HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
    HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
  • Delete additional registry keys, which are related to program debugging, group policy, and program execution:
    HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Image File Execution\Options
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects
    HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • Modify system settings for handling files with the Hidden attribute by creating the following registry entries:
    Adds value: “ShowSuperHidden
    With data: “0
    To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
  • Adds value: “Type
    With data: “radio
    To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden
  • Enable Autorun for all drive types – if the data is not already “0x91” or “0x95”, it is set to the following value:
    Adds value: “NoDriveTypeAutoRun
    With data: “95
    To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

The virus calls the Windows utility “cacls.exe” to give users in the ‘Everyone’ group full control of the folder ‘C:\Windows\system32\com‘.

Installs rootkit service
Virus:Win32/Xorer.X drops the file NetApi000.sys in the root of each writeable drive. It also installs this file as a service by creating the following registry key: HKLM\SYSTEM\CurrentControlSet\Services\NetApi000 This SYS file is detected as Virus:Win32/Xorer.H and is a rootkit driver used by the virus to avoid detection.

Connect to certain Web sites
Virus:Win32/Xorer.X may modify stored web pages by adding scripting code that links to the webiste js.k<removed>102.com. This ensures that if a user opens a stored web page, a connection to the website is made, possibly allowing the system to download and install arbitrary programs from that website.

Terminate security processes
Virus:Win32/Xorer.X may terminate certain security processes.