madyrocksin

New Member
Technical Details
This polymorphic file virus infects Windows executable files (PE). When infecting files the virus uses an entry point obscuring (EPO) technique. The virus body in the infected file varies from 160 to 180 KB.

Installation
When the infected file is launched, the virus saves files with arbitrary names based on computer parameters in a Windows folder. The files contain encrypted information about the virus.


Payload
The virus infects files stored in the folders:

%system% (usually C:\Windows\system32\)
%ProgramFiles% (usually C:\Program Files\)
Files in shared folders
Files on removable media, remote (network) disks and virtual disks (RAM), files prepared for the copying of CDs
The following files that certain registry keys contain links to:
Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Software\Microsoft\Internet Explorer\Extensions Software\Microsoft\Internet Explorer\UrlSearchHooks Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approv Software\Classes\Directory\ShellEx\ContextMenuHandlers
Software\Classes\Folder\ShellEx\ContextMenuHandlers
SOFTWARE\Classes\Protocol\Filter
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Classes\Applications
SOFTWARE\Clients\StartMenuInternet
SOFTWARE\Microsoft\Multimedia
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall


If the file does not satisfy certain conditions, e.g. it is protected with SFC, is will not be infected.

It attempts to connect to remote control servers indicated in the virus body. If server connections cannot be established, it attempts to connect to servers whose domain names are generated by the virus following a certain algorithm. The virus can download additional encrypted modules from the control server, which are then executed in the infected system.

To disinfect a system infected with malware Virus.Win32.Xpaj.a,b,c,gen use the tool XpajKiller.exe.

Disinfection of an infected system:

Warning: The System restore function should be disabled before attempting to disinfect a system.

Download the archive XpajKiller.zip and extract it into a folder on the infected (or potentially infected) PC using an archiver program (for example, WinZip).

Run the file XpajKiller.exe.

Wait for the scan and disinfection to finish. A reboot might require after disinfection.

If started without switches, the tool will:
Scan and disinfection of files on all hard disk drives.
While scanning hard disk drives, the tool will also perform a check of executable files of all running processes every 10 seconds.
Terminate detected infected processes and disinfect infected files.

Optional switches to run the tool from command prompt:

-l - write log to the file.
-v - detailed logging (must be used in combination with the parameter -l).
-s ;- scan in “silent” mode (without opening console box).
-y - when the utility finishes, its window will be closed.
-p – scan a specific folder.
-r - scan removable drives (flash), external USB and FireWire hard disks.
-n - scan network drives.

Download Kaspersky XpajKiller