Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    We’re currently investigating several file infectors that have affected several countries, particularly Australia. Trend Micro detects these as PE_XPAJ.C, PE_XPAJ.C-1, PE_XPAJ.C-2, and PE_XPAJ.C-O.

    Based on our initial analysis, these PE_XPAJ variants connect to the following C&C servers to send and receive information:


    The infected file (detected as PE_XPAJ variants) is capable of downloading randomly generated encrypted filename for its mother and loading it to the memory. As such, the copy of the mother file can be found in Windows folder using random file name and extension. Users will notice the re-infection once these encrypted files exist again in the said Windows folder and use the same filename and extension that was employed before.

    PE_XPAJ variants infect EXE, .SCR, .DLL and .SYS files. They also infect the Master Boot Record (MBR) to automatically load itself before the OS loads. One of their payloads is click fraud. These variants have the capability to redirect users to ad-clicking scam, to generate profit for the cybercriminals.

    Based on our Smart Protection Network, the following are the top countries affected by this threat:

    • Australia
    • India
    • Japan
    • Italy
    • United States

    We’ll update this entry with recent developments on this threat.

    Update as of 7:30 PM, October 23, 2012, PDT

    How to determine if your system is infected by PE_XPAJ

    There are two ways that users and system administrators can use to see if a system has been infected by PE_XPAJ variants. First of all, it will communicate with the command-and-control servers listed above. Secondly, certain files can be found in the Windows directory. This is because PE_XPAJ variants can download its mother file and load it into the memory. As such, a copy of the encrypted mother file can be found in the Windows folder using a random file name and extension.

    Users will know that they have been re-infected once these encrypted files exist again in the said folder and use the same name and extension that was used before. Typically, 6-9 files will be present.

    This information can be used to easily determine if your system is infected. If the two behaviors below are present, a PE_XPAJ infection is present.

    Update as of 4:17 PM, October 24, 2012, PDT

    We spotted the following additional C&C servers where PE_XPAJ connects to:

    Update as of 9:31 AM, October 25, 2012, PDT

    Trend Micro created a Rescue Disk tool to clean systems infected with PE_XPAJ.C.

    The tool includes aggressive detections Cryp_Xin14 and PE_XPAJ.C-1, which are not available in Official Pattern Release.

    Below are the tool’s capabilities:

    • Clean infected MBR (Master Boot Record)
    • Clean files infected by the malware PE_XPAJ.C-1
    • Delete files detected as Cryp_Xin14

    This tool uses a pattern designed only for PE_XPAJ.C-1 and Cryp_Xin14. If system is infected with other malware, users may need to update their Trend Micro software with the latest pattern file. Files that are not cleaned but detected by the Rescue Disk will be quarantined.

    PE_XPAJ.C propagates via mapped drives or shared folders. Affected users are recommended to disable their network shares immediately. Users are also advised to block related malicious URLs and if possible to add in the HOSTS file.

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon

    • Jim

      @google-aef0713381f9a563f37a867cbeeaad88:disqus It doesn’t necessarily break everything unless it has to quarantine these DLL’s.

      We’ve found repair installs normally work (including one unfortunate server that required Exchange 2003 re-installed).

      You have to assess the risk and time required by looking at your WFBS console reports to get an idea of which dir’s are infected by the virus.

    • cHad PreSlar

      Trend Rescue disk mentioned above kills .DLL’s for nearly every installed application on the PC, corrupting installations such as Adobe Creative Suite and Kaledo Products. Probably better off to do a format and reload the OS since the applications themselves no longer work after the “rescue disc”

    • Marius

      Could you please post the full list with all the IP’s so it can be used to block on the router level.

    • Extradry

      Any fix from trend ……?


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice