We’re currently investigating several file infectors that have affected several countries, particularly Australia. Trend Micro detects these as PE_XPAJ.C, PE_XPAJ.C-1, PE_XPAJ.C-2, and PE_XPAJ.C-O.
Based on our initial analysis, these PE_XPAJ variants connect to the following C&C servers to send and receive information:
- {BLOCKED}.{BLOCKED}.162.208:35516
- {BLOCKED}.{BLOCKED}.152.218:35516
- {BLOCKED}.{BLOCKED}.71.249:35516
- {BLOCKED}.{BLOCKED}.60.108:35516
- {BLOCKED}.{BLOCKED}.123.153:35516
- {BLOCKED}.{BLOCKED}.132.25:35516
- {BLOCKED}.{BLOCKED}.16.5:389
- {BLOCKED}.{BLOCKED}.0.1:1056
- {BLOCKED}.{BLOCKED}.16.9
- {BLOCKED}.{BLOCKED}.16.10
- {BLOCKED}.{BLOCKED}.183.224:35516
- {BLOCKED}.{BLOCKED}.0.1:1070
- {BLOCKED}.{BLOCKED}.16.12:389
- {BLOCKED}.{BLOCKED}.4.250:80
- {BLOCKED}.{BLOCKED}.204.90:80
- {BLOCKED}.{BLOCKED}.0.1:1043
- {BLOCKED}biok.info
- {BLOCKED}c.com
- {BLOCKED}v.com
- {BLOCKED}tss.info
- {BLOCKED}ifhrf.net
- {BLOCKED}kowab.ru
- {BLOCKED}elertiong.com
- {BLOCKED}xw.ru
- {BLOCKED}naf.ru
- {BLOCKED}ppsfm.org
- {BLOCKED}r.info
- {BLOCKED}j.info
- {BLOCKED}bkxfn.biz
- {BLOCKED}hpte.com
- {BLOCKED}e.ru
- {BLOCKED}fbxrzn.com
- {BLOCKED}etobob.biz
- {BLOCKED}mullpy.info
- {BLOCKED}th.info
- {BLOCKED}medescriptor.com
- {BLOCKED}sncki.info
- {BLOCKED}hyjku.net
- {BLOCKED}mpyzh.net,
- {BLOCKED}hez.com,
- {BLOCKED}knddy.com
- {BLOCKED}vaweonearch.com,
- {BLOCKED}qyhqtb.org
- {BLOCKED}gnfvhz.ru
- {BLOCKED}l.ru
- {BLOCKED}cut.biz
- {BLOCKED}pq.info
- {BLOCKED}o.net
- {BLOCKED}eucnd.biz
The infected file (detected as PE_XPAJ variants) is capable of downloading its mother file and loading it to the memory. As such, the copy of the mother file can be found in Windows folder using random file name and extension. Users will notice the re-infection once these encrypted files exist again in the said Windows folder and use the same filename and extension that was employed before.
PE_XPAJ variants infect EXE, .SCR, .DLL and .SYS files. They also infect the Master Boot Record (MBR) to automatically load itself after the system startup. One of their payloads is click fraud. These variants have the capability to redirect users to ad-clicking scam, to generate profit for the cybercriminals.
Based on our Smart Protection Network, the following are the top countries affected by this threat:
- Australia
- India
- Japan
- Italy
- United States
We’ll update this entry with recent developments on this threat.
Update as of 7:30 PM, October 23, 2012, PDT
How to determine if your system is infected by PE_XPAJ
There are two ways that users and system administrators can use to see if a system has been infected by PE_XPAJ variants. First of all, it will communicate with the command-and-control servers listed above. Secondly, certain files can be found in the Windows directory. This is because PE_XPAJ variants can download its mother file and load it into the memory. As such, a copy of the encrypted mother file can be found in the Windows folder using a random file name and extension.
Users will know that they have been re-infected once these encrypted files exist again in the said folder and use the same name and extension that was used before. Typically, 6-9 files will be present.
This information can be used to easily determine if your system is infected. If the two behaviors below are present, a PE_XPAJ infection is present.
Leave a reply
