Win32.Xorer.EK – Discrete though Highly Intelligent

If you thought you had seen everything in terms of malware infection, here's a news flash: there's a new wonder-virus that doesn't infect your binary files, but rather swallows them all.

Win32.Xorer.EK is an extremely discrete e-threat that, once on the computer, will constantly force you into visiting various websites. Unlike its siblings that corrupt and destroy other files, it prepends the target-executable to itself, as shown:

 More than that, in order not to cast any suspicion to the user, it simply borrows the legitimate application's icon. The only symptoms that might hint the user about an infection are:

• The presence of a ".pif"-appended file inside documents and settings\[user-name]\Start Menu\Programs\Startup
• The presence of a hidden file named "pagefile.pif", and an autorun.inf file inside root directories of drives pointing at it;
• A slight increase in the file's size (about 64 Kilobytes of extra code);
• Any signs of slowdowns or forceful advertisements inside the Internet Explorer® browser.

When first executed, the virus drops the original host (the uninfected application), as a hidden file, and named [original-file-name].~tmp.

During the host execution, the virus will try to make a copy of itself inside %system%\drivers\lsass.exe. If it succeeds, it will execute this fresh copy, and continue execution there. If it fails to create the copy, it will assume that it has already infected the system and it is active in memory. This will be Win32.Xorer.EK's infection routine.

Win32.Xorer.EK creates 4 internal timers which execute distinct functions once a predetermined period of time is elapsed:

• The 1st timer executes every second and constantly checks the existence of Documents and settings\[user-name]\Start Menu\Programs\Startup\~.pif that is a copy of the virus. If the file is not to be found, it will be recreated immediately. Furthermore, a new copy of itself will be created inside the root as "pagefile.pif" and an autorun.inf to point to it. The 1^st timer acts like a watchdog process that ensures the virus has not been removed from the system.
• The 2^nd timer - to be executed every 15 seconds - searches for a window with "IEFrame" as class name in order to redirect the browser towards advertising and malicious sites;
• The 3^rd timer - to be executed every 2 and a half hours - is similar in task as the 2^nd timer with one extra function: it opens a new process of Internet Explorer® redirecting it towards advertising and malicious sites;
• The 4^th timer - to be executed every minute - is some sort of a back-up for the 3^rd timer, since it does the same things.

History teaches that viruses are far from being user-friendly. By design viruses corrupt and destroy data, and ultimately, they render the system useless. Win32.Xorer.EK blends the spreading mechanisms of worms with the stealthy behavior of Trojans - the irrefutable proof that e-threats are constantly evolving!