You're in: Panda Security > Home Users > security-info > about-malware > encyclopedia > overview
Active Scan. Scan your PC free
Panda Security Product Line 2012

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard True 0

Xorer.O

 
Threat LevelLow threatDamageHighDistributionNot widespread

Effects 

Xorer.O carries out the following actions:

  • It checks if there is an Intenet connection available. If so, it downloads two files from the website http://js.k<bloqued>02.com.
  • The files it downloads are:
    - DATA.GIF, which is an update of itself.
    - ANTITOOL.EXE, which drops several files belonging to the Windows packet capture library called Winpcap and a malicious file called ALG.EXE.
  • This malicious file is used to capture and modify the network packets that are sent from the computers. The only packets it modifies are those belonging to the HTTP protocol and it only affects computers that belong to the same local network.
  • As a consequence, the website requested by the user will be displayed with alterations, a pop-up window will appear at the bottom right of the website, as in the image below:

  • This does not mean that these computers are infected by Xorer.O, but that there is an infected computer in the network they belong to. Concretely, the visited websites in the infected computer will not be displayed with the anomaly mentioned above.
  • In order to do so, it uses the Windows packet capture library called Winpcap.
  • Once it captures the network packets, it sends them to the router, the router gives them back to the worm, the worm modifies them by injecting a script into the HTML code of the website and finally they are sent to the user that requested them.
  • It uses several techniques in order to make its detection more difficult:
    - It uses a rootkit to hide the files it creates.
    - It hides the operating system files.
  • It ends the processes that contain any of the following text strings:
    #32770
    360anti
    360safe
    AfxControlBar42s
    antivir
    bitdefender
    cabinetwclass
    dr.web
    escan
    ewido
    facelesswndproc
    firewall
    ieframe
    mcagent
    metapad
    monitor
    mozillauiwindowclass
    SREng
    tapplication
    thunderrt6formdc
    thunderrt6main
    ThunderRT6Timer
    These processes belong to antivirus programs and firewalls.

Infection strategy 

Xorer.O creates the following files in the root directory of all system drives:

  • a copy of itself under the names PAGEFILE.PIF and 037589.LOG.
  • an AUTORUN.INF file, in order to be run whenever any drive is accessed.

Additionally, it creates the following files, which are copies of itself:

  • LSASS.EXE, in the subfolder Com of the Windows system directory.
  • ~????.EXE, in the Startup directory. This way, it ensures that it is run whenever Windows is started.
    where ???? stands for four random characters.

It also creates the following files:

  • NETAPI000.SYS, in the root directory of the C: drive. This file belongs to a rootkit, which is used to hide all the files created by the worm.
  • NETCFG.000, NETCFG.DLL and SMSS.EXE, in the subfolder Com of the Windows system directory.
  • DNSQ.DLL, in the Windows system directory.

 

Xorer.O modifies the following entries from the Windows Registry, in order to make its detection more difficult:

  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced\ Folder\ SuperHidden
    Type = checkbox
    It changes this entry to:
    HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced\ Folder\ SuperHidden
    Type = radio ox b o x WinRAR\WinRAR.exe" "%1" R A R \ W i n R A R . e x e "
    "????. e x e " % 1 m s \ S t a r t u p
    where ???? stands for four random characters and belong to a copy of itself.
    This way, it hides the copy of itself created in the Startup directory.
  • HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced
    ShowSuperHidden = 01, 00, 00, 00
    It changes this entry to:
    HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced
    ShowSuperHidden = 00, 00, 00, 00
    It hides the files of the operating system.

 

Xorer.O deletes the following entries from the Windows Registry in order to prevent the system from starting in any of the types of safe mode available:

  • HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Control\ SafeBoot\ Minimal\ {4D36E967-E325-11CE-BFC1-08002BE10318}
    (Default) = DiskDrive
  • HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Control\ SafeBoot\ Network\ {4D36E967-E325-11CE-BFC1-08002BE10318}
    (Default) = DiskDrive
  • HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\ SafeBoot\ Minimal\ {4D36E967-E325-11CE-BFC1-08002BE10318}
    (Default) = DiskDrive
  • HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\ SafeBoot\ Network\ {4D36E967-E325-11CE-BFC1-08002BE10318}
    (Default) = DiskDrive

It also deletes all the entries that have the path HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run. These entries ensure that the files included in them are run whenever Windows is started. So, by deleting them, they will not be automatically run when restarting the computer.

Means of transmission 

Xorer.O spreads through the local, removable and mapped drives, making copies of itself in them. Additionally, it creates an AUTORUN.INF file in these drives, in order to be run whenever any of them is accessed.

Further Details  

Xorer.O is 95,744 bytes in size.