Skip to content

Threat Encyclopedia
Export page to PDF
PE_XPAJ.C-O
Aliases: W32.Xpaj.B (Symantec); Virus:Win32/Xpaj.gen!A (Microsoft )
Malware type: File infector
Destructive: No
Platform: Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows 7
Encrypted: Yes
In the wild: Yes

Overview


Infection Channel: Infects files, Dropped by other malware, Downloaded from the Internet

This file infector is part of a malware family that has affected users in Australia and several other countries on October 2012. Besides infecting files, it also infects the affected system's (MBR) Master Boot Record in order to automatically load itself at system startup, making removal difficult.

To get a one-glance comprehensive view of the behavior of this File infector, refer to the Threat Diagram shown below.

This file infector arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It infects the Master Boot Record of the affected system.

It connects to certain websites to send and receive information.

Technical Details


File size: 224,256 bytes
File type: EXE
Memory resident: Yes
Initial samples received date: 24 Apr 2012
Payload: Connects to URLs/IPs, Click fraud

Arrival Details

This file infector arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This file infector drops the following files:

  • %Windows%\qnhn.ain

(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)

File Infection

This file infector infects the following file types:

  • .DLL
  • .EXE
  • .SCR
  • .SYS

It infects the Master Boot Record of the affected system in order to perform the following routines:

  • to automatically load itself every time the system boots.

Other Details

This file infector connects to the following URL(s) to check for an Internet connection:

  • microsoft.com
  • facebook.com

It connects to the following website to send and receive information:

  • {BLOCKED}iolosto.com

NOTES:

The main payload of this file infector is related to advertising and ad-clicking scam to generate revenue.

This file infector also runs in 64-bit versions of Windows.

It also generates 197 URLs to connect to using a Domain Generation Algorithm.

Solution


Minimum scan engine: 9.300
VSAPI OPR Pattern Version: 9.497.00
VSAPI OPR Pattern Release Date: 31 Oct 2012

Step 1

For Windows XP and Windows Server 2003 users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.

Step 2

Identify files detected as PE_XPAJ.C-O, then restore the Master Boot Record and delete malware files using Recovery Console

[ Learn more ]

Step 3

Search and delete this file

[ Learn more ]
There may be some component files that are hidden. Please make sure you check the Search Hidden Files and Folders checkbox in the More advanced options option to include all hidden files and folders in the search result.
  • %Windows%\qnhn.ain

Step 4

Scan your computer with your Trend Micro product to delete files detected as PE_XPAJ.C-O. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

Step 5

Restore your system’s Master Boot Record (MBR)

To restore your system's Master Boot Record (MBR):

  1. Insert your Windows Installation CD into your CD-ROM drive or the USB flash drive then restart your computer.
  2. Press the restart button of your computer.
  3. When prompted, press any key to boot from the CD.
  4. When prompted on the Main Menu, type r to enter the Recovery Console.
    (For Windows 2000 users: After pressing r, type c to choose the Recovery Console on the repair options screen.)
  5. When prompted, type your administrator password to log in.
  6. Once logged in, type the drive that contains Windows in the command prompt that appears, and then press Enter.
  7. Type the following then press Enter:
    fixmbr {affected drive}
    (Note: The affected drive is the bootable drive that this malware/grayware has affected. If no device is specified, the MBR will be written in the primary boot drive.)
  8. Type exit to restart the system.

NOTES:
Trend Micro Rescue Disk scans and cleans systems infected with XPAJ variants. For further instructions on how to use this tool, you may refer to the Rescue Disk Instruction Page.


Did this description help? Tell us how we did.
Analysis By: Roland Marco Dela Paz
Modified By: Mark Joseph Manahan

Connect with us on