Selected viruses, spyware, and other threats: sorted alphabetically
Short description
Win32/Xorer.BU is a file infector. Installation
When executed, the virus drops the following files in the %system%\com\ folder: - netcfg.000 (45056 B)
- netcfg.dll (45056 B)
- lsass.exe (102400 B)
- smss.exe (9525 B)
- ~.exe (102400 B)
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run] - [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\
Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}] - [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\
SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}] - [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\
Network\{4D36E967-E325-11CE-BFC1-08002BE10318}] - [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\
SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}] - [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Image File Execution Options]
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Explorer\Advanced\Folder\SuperHidden]
"Type" = "radio" - [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Policies\Explorer]
"NoDriveTypeAutorun" = 91
Executable files infection
Win32/Xorer.BU is a prepending virus . The virus searches for executables with one of the following extensions:
- .exe
It infects the following files:
- *htm
- *tml
- *.js
Spreading
The virus copies itself into the root folders of all drives using the following name: - pagefile.pif (102400 B)
- autorun.inf
Other information
The virus can download a file from the Internet. The virus contains a list of (2) URLs. The HTTP protocol is used. The virus terminates any program that creates a window containing any of the following strings in its name:
- asm
- ollydbg
- ida
- softice
- tapplication
- 360
- ##vso##
- 360
