Based on our initial analysis, these PE_XPAJ variants connect to the following C&C servers to send and receive information:
The infected file (detected as PE_XPAJ variants) is capable of downloading randomly generated encrypted filename for its mother and loading it to the memory. As such, the copy of the mother file can be found in Windows folder using random file name and extension. Users will notice the re-infection once these encrypted files exist again in the said Windows folder and use the same filename and extension that was employed before.
PE_XPAJ variants infect EXE, .SCR, .DLL and .SYS files. They also infect the Master Boot Record (MBR) to automatically load itself before the OS loads. One of their payloads is click fraud. These variants have the capability to redirect users to ad-clicking scam, to generate profit for the cybercriminals.
Read the rest of this entry »