PE_XPAJ: Persistent File Infector

We’re currently investigating several file infectors that have affected several countries particularly Australia. Trend Micro detect these as PE_XPAJ.C, PE_XPAJ.C-1, PE_XPAJ.C-2, and PE_XPAJ.C-O.

Based on our initial analysis, these PE_XPAJ variants connect to the following C&C servers to send and receive information:

  • {BLOCKED}.{BLOCKED}.162.208:35516
  • {BLOCKED}.{BLOCKED}.152.218:35516
  • {BLOCKED}.{BLOCKED}.71.249:35516
  • {BLOCKED}.{BLOCKED}.60.108:35516
  • {BLOCKED}.{BLOCKED}.123.153:35516
  • {BLOCKED}.{BLOCKED}.132.25:35516
  • {BLOCKED}.{BLOCKED}.16.5:389
  • {BLOCKED}.{BLOCKED}.0.1:1056
  • {BLOCKED}.{BLOCKED}.16.9
  • {BLOCKED}.{BLOCKED}.16.10
  • {BLOCKED}.{BLOCKED}.183.224:35516
  • {BLOCKED}.{BLOCKED}.0.1:1070
  • {BLOCKED}.{BLOCKED}.16.12:389
  • {BLOCKED}.{BLOCKED}.4.250:80
  • {BLOCKED}.{BLOCKED}.204.90:80
  • {BLOCKED}.{BLOCKED}.0.1:1043
  • {BLOCKED}biok.info
  • {BLOCKED}c.com
  • {BLOCKED}v.com
  • {BLOCKED}tss.info
  • {BLOCKED}ifhrf.net
  • {BLOCKED}kowab.ru
  • {BLOCKED}elertiong.com
  • {BLOCKED}xw.ru
  • {BLOCKED}naf.ru
  • {BLOCKED}ppsfm.org
  • {BLOCKED}r.info
  • {BLOCKED}j.info
  • {BLOCKED}bkxfn.biz
  • {BLOCKED}hpte.com
  • {BLOCKED}e.ru
  • {BLOCKED}fbxrzn.com
  • {BLOCKED}etobob.biz
  • {BLOCKED}mullpy.info
  • {BLOCKED}th.info
  • {BLOCKED}medescriptor.com
  • {BLOCKED}sncki.info
  • {BLOCKED}hyjku.net
  • {BLOCKED}mpyzh.net,
  • {BLOCKED}hez.com,
  • {BLOCKED}knddy.com
  • {BLOCKED}vaweonearch.com,
  • {BLOCKED}qyhqtb.org
  • {BLOCKED}gnfvhz.ru
  • {BLOCKED}l.ru
  • {BLOCKED}cut.biz
  • {BLOCKED}pq.info
  • {BLOCKED}o.net
  • {BLOCKED}eucnd.biz
  • {BLOCKED}e.bluefirems.com.au

The infected file (detected as PE_XPAJ variants) is capable of downloading its mother file and loading it to the memory. As such, the copy of the mother file can be found in Windows folder using random file name and extension. Users will notice the re-infection once these encrypted files exist again in the said Windows folder and use the same filename and extension that was employed before.

PE_XPAJ variants infect EXE, .SCR, .DLL and .SYS files. They also infect the Master Boot Record (MBR) to automatically load itself after the system startup. One of their payloads is click fraud. These variants have the capability to redirect users to ad-clicking scam for the cybercriminals generate profit.

Based on our Smart Protection Network, the following are the top countries affected by this threat:

  • Australia
  • India
  • Japan
  • Italy
  • United States

We’ll update this entry with recent developments on this threat.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

PE_XPAJ: Persistent File Infector

Read more: PE_XPAJ: Persistent File Infector

Incoming search terms

Story added 22. October 2012, content source with full text you can find at link above.