1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: W32.Xpaj.B

System Infected: W32.Xpaj.B

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects W32.Xpaj.B activity which may download more files on to the compromised computer.

Additional Information

W32.Xpaj.B is a virus that infects .dll, .exe, .scr, and .sys files on the compromised computer.


Once executed, the virus searches the compromised computer for files with the following extensions and infects them:

.dll
.exe
.scr
.sys

The virus creates the following file to mark its presence:
%Windir%\[FOUR RANDOM NUMBERS FOLLOWED BY FOUR RANDOM LETTERS].tmp

It may also create the following file:
%Temp%\[HEXADECIMAL CHARACTERS].tmp

The virus checks for Internet connectivity by attempting to contact the following domain:
microsoft.com

Then, the virus attempts to contact its control server using the following URL:
[http://][SERVER ADDRESS]/up.[REMOVED]

Note: [SERVER ADDRESS] may be one of the following remote locations:

74.72.199.125
abdulahuy.com
tooratios.com

The virus may download and execute additional malicious files.

The virus may spread by copying itself to removable drives.

It may also create the following file so that it runs whenever the drives are accessed:
%DriveLetter%\autorun.inf

Affected

  • Windows

Response

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

* Disable System Restore (Windows Me/XP)
* Update the virus definitions
* Run a full system scan.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube