Content

W32/Blurt@MM

Type
Virus
SubType
E-mail
Discovery Date
09/04/2003
Length
18,432 bytes
Minimum DAT
4284 (08/11/2003)
Updated DAT
4284 (08/11/2003)
Minimum Engine
5.1.00
Description Added
09/04/2003
Description Modified
11/10/2003 3:02 PM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

This threat is deemed Low-Profiled due to media attention at http://www.theregister.co.uk/content/56/32662.html

McAfee users are proactively protected from this threat when scanning with the 4252 DAT files, compressed executables, and the 4.2.40 scan engine.  4.1.60 engine users are also protected under the same scenario, but also require program heuristics.  The detection name varies with DAT file version and engine, and will be along the lines of W32/Generic or New Worm.

The virus is detected as W32/Generic.worm!irc This worm attempts to spread via Microsoft Outlook, and Internet Relay Chat. The worm also terminates security software, contains a Denial of Service attack payload, a web page overwriting payload, and disables the registry editor and task manager. The virus may be received in an email message as follows:

    Subject : (one of the following)
  • Your Account Infomation.
  • Your Account is on hold.
  • Your Account has been suspended.
  • Account Infomation.
  • Account Invoice.
  • Email Account Infomation.
  • This quaters invoice.
  • Account Billing Information.
  • YOUR ACCOUNT REF:
  • ORDER CONFIRMATION:
  • Account,is on hold.
    Body :
  • Dear Sir,

Followed by

  • Please can you check that your account information is up to date.
    Your details are attached to this email.
  • Please can you confirm that your account information is correct.
    Your current details are attached to this email.
  • Please find attached this quaters invoice for your Internet Account. 
  • Please find your details attached. Thank you.
    Details are attached to this email. 

Followed by

  • Regards, Billing Team.
    Regards, Support Team.
    Attachment : (one of the following)
  • Account Invoice.Doc.exe
  • Your Account.Doc.exe
  • Account Details.Doc.exe
  • Your Account Info.Doc.exe
  • Account Information.Doc.exe
  • Billing Information.Doc.exe
  • Invoice.Doc.exe
  • Account Update.Doc.exe
  • Account Status.Doc.exe
  • Your Account Status.exe

For example:

When the attachment is run (manually accessed with the mouse or keyboard), the virus attempts to copy itself to the PROGRA~1 (Program Files) directory as ACCOUNT_DETAILS.DOC.exe. This failed during testing. A registry key is created to load this, non-existent, file:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Run "Windows Task Manager" = c:\progra~1\ACCOUNT_DETAILS.DOC.exe
A file named WIN32.SORT-IT-OUT-BLAIR.TXT is created on the root directory of the C: drive. This file contains the following text:
  • Infected by the WIN32.SORT-IT-OUT-BLAIR Virus!
The virus contains a payload to overwrite the following files with this text:
  • c:\inetpub\wwwroot\default.asp
  • c:\inetpub\wwwroot\default.htm
  • c:\inetpub\wwwroot\default.html
  • c:\inetpub\wwwroot\index.asp
  • c:\inetpub\wwwroot\index.htm
  • c:\inetpub\wwwroot\index.html
The mIRC script is overwritten with instructions to send the virus to users who join the same channel as the infected user. The following message is sent along with the virus:
    Hey, Do you want to take part of the iRC chain mail world record? If so all you have to do is load up the program add your irc nick and press submit! Just rename the file from .irc to .exe and your ready to go!
The following registry keys are created to disable the registry editor and task manager:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    Policies\System "DisableRegistryTools" = 1
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    Policies\System "DisableTaskMgr" = 1
On the 11th of the month, an ICMP denial of service attack is launched on the domain www.number-10.gov.uk .

Symptoms

The virus terminates the following processes:

  • ADVXDWIN.EXE
  • ALERTSVC.EXE
  • ALOGSERV.EXE
  • AMON9X.EXE
  • ANTI-TROJAN.EXE
  • ANTS.EXE
  • APVXDWIN.EXE
  • ATCON.EXE
  • ATUPDATER.EXE
  • ATWATCH.EXE
  • AUTODOWN.EXE
  • AVCONSOL.EXE
  • AVE32.EXE
  • AVGCC32.EXE
  • AVGCTRL.EXE
  • AVGSERV.EXE
  • AVGSERV9.EXE
  • AVGW.EXE
  • AVKSERV.EXE
  • AVNT.EXE
  • AVP.EXE
  • AVP32.EXE
  • AVPCC.EXE
  • AVPDOS32.EXE
  • AVPM.EXE
  • AVPTC32.EXE
  • AVPUPD.EXE
  • AVSCHED32.EXE
  • AVSYNMGR.EXE
  • AVWIN95.EXE
  • AVWINNT.EXE
  • AVWUPD32.EXE
  • AVXMONITOR9X.EXE
  • AVXMONITORNT.EXE
  • AVXQUAR.EXE.EXE
  • AVXW.EXE
  • AgentSvr.exe
  • AutoTrace.exe
  • Avgctrl.exe
  • Avsched32.exe
  • BLACKD.EXE
  • BLACKICE.EXE
  • CFIADMIN.EXE
  • CFIAUDIT.EXE
  • CFINET.EXE
  • CFINET32.EXE
  • CLAW95.EXE
  • CLAW95CF.EXE
  • CLEANER.EXE
  • CLEANER3.EXE
  • CMGRDIAN.EXE
  • CONNECTIONMONITOR.EXE
  • CPD.EXE
  • CPDCLNT.EXE
  • DEFWATCH.EXE
  • DOORS.EXE
  • DVP95.EXE
  • DVP95_0.EXE
  • ECENGINE.EXE
  • EFPEADM.EXE
  • ESAFE.EXE
  • ESPWATCH.EXE
  • ETRUSTCIPE.EXE
  • EVPN.EXE
  • EXPERT.EXE
  • F-AGNT95.EXE
  • F-PROT.EXE
  • F-PROT95.EXE
  • F-STOPW.EXE
  • FINDVIRU.EXE
  • FP-WIN.EXE
  • FPROT.EXE
  • FRW.EXE
  • GENERICS.EXE
  • GUARD.EXE
  • GUARDDOG.EXE
  • IAMAPP.EXE
  • IAMSERV.EXE
  • IBMASN.EXE
  • IBMAVSP.EXE
  • ICLOAD95.EXE
  • ICLOADNT.EXE
  • ICMON.EXE
  • ICSUPP95.EXE
  • ICSUPPNT.EXE
  • IFACE.EXE
  • IOMON98.EXE
  • ISRV95.EXE
  • InoRT.exe
  • InoRpc.exe
  • InoTask.exe
  • JEDI.EXE
  • LDNETMON.EXE
  • LDPROMENU.EXE
  • LDSCAN.EXE
  • LOCKDOWN.EXE
  • LOCKDOWN2000.EXE
  • LOOKOUT.EXE
  • LUALL.EXE
  • LUCOMSERVER.EXE
  • MCAGENT.EXE
  • MCMNHDLR.EXE
  • MCSHIELD.EXE
  • MCTOOL.EXE
  • MCUPDATE.EXE
  • MCVSRTE.EXE
  • MCVSSHLD.EXE
  • MGAVRTCL.EXE
  • MGAVRTE.EXE
  • MGHTML.EXE
  • MINILOG.EXE
  • MONITOR.EXE
  • MOOLIVE.EXE
  • MPFTRAY.EXE
  • MWATCH.EXE
  • N32SCANW.EXE
  • NAVAPSVC.EXE
  • NAVAPW32.EXE
  • NAVLU32.EXE
  • NAVNT.EXE
  • NAVW32.EXE
  • NAVWNT.EXE
  • NDD32.EXE
  • NETUTILS.EXE
  • NISSERV.EXE
  • NISUM.EXE
  • NMAIN.EXE
  • NORMIST.EXE
  • NPROTECT.EXE
  • NPSSVC.EXE
  • NSCHED32.EXE
  • NTVDM.EXE
  • NTXconfig.exe
  • NUPGRADE.EXE
  • NVC95.EXE
  • NWService.exe
  • NWTOOL16.EXE
  • Navapw32.exe
  • NeoWatchLog.exe
  • Nui.EXE
  • PADMIN.EOUTPOST.EXE
  • PADMIN.EXE
  • PAVCL.EXE
  • PAVSCHED.EXE
  • PAVW.EXE
  • PCCIOMON.EXE
  • PCCWIN98.EXE
  • PCFWALLICON.EXE
  • PERSFW.EXE
  • POP3TRAP.EXE
  • POPROXY.EXE
  • PORTMONITOR.EXE
  • PROCESSMONITOR.EXE
  • PVIEW95.EXE
  • RAV7.EXE
  • RAV7WIN.EXE
  • REALMON.EXE
  • RESCUE.EXE
  • RTVSCN95.EXE
  • Realmon.exe
  • SAFEWEB.EXE
  • SCAN32.EXE
  • SCAN95.EXE
  • SCANPM.EXE
  • SCRSCAN.EXE
  • SERV95.EXE
  • SMC.EXE
  • SPHINX.EXE
  • SPYXX.EXE
  • SS3EDIT.EXE
  • SWEEP95.EXE
  • SWNETSUP.EXE
  • SYMPROXYSVC.EXE
  • SYMTRAY.EXE
  • SymProxySvc.exe
  • TBSCAN.EXE
  • TC.EXE
  • TCA.EXE
  • TCM.EXE
  • TDS-3.EXE
  • TDS2-98.EXE
  • TDS2-NT.EXE
  • TFAK.EXE
  • VET32.EXE
  • VET95.EXE
  • VETTRAY.EXE
  • VIR-HELP.EXE
  • VPC32.EXE
  • VPTRAY.EXE
  • VSCAN40.EXE
  • VSCHED.EXE
  • VSECOMR.EXE
  • VSHWIN32.EXE
  • VSMAIN.EXE
  • VSMON.EXE
  • VSSTAT.EXE
  • VbCons.exe
  • WATCHDOG.EXE
  • WEBSCANX.EXE
  • WEBTRAP.EXE
  • WFINDV32.EXE
  • WGFE95.EXE
  • WIMMUN32.EXE
  • WRADMIN.EXE
  • WRCTRL.EXE
  • ZAPRO.EXE
  • ZONEALARM.EXE
  • _AVP32.EXE
  • _AVPCC.EXE
  • _AVPM.EXE
  • apvxdwin.exe
  • avkpop.exe
  • avkservice.exe
  • avkwctl9.exe
  • defscangui.exe
  • fameh32.exe
  • fch32.exe
  • fih32.exe
  • fnrb32.exe
  • fsaa.exe
  • fsav32.exe
  • fsgk32.exe
  • fsm32.exe
  • fsma32.exe
  • fsmb32.exe
  • gbmenu.exe
  • gbpoll.exe
  • zapro.exe
  • iamapp.exe
  • netstat.exe
  • nisum.exe
  • ntrtscan.EXE
  • nvsvc32.exe
  • pavproxy.exe
  • pccntmon.EXE
  • pccwin97.EXE
  • pcscan.EXE
  • regedit.exe
  • sbserv.exe
  • sscansvc.exe
  • taskmgr.exe
  • vbcmserv.exe
  • vsmon.exe
  • zonealarm.exe

The virus attempts to stop the following services:

  • Event Log
  • Messenger
  • Zonealarm
  • TrueVector Internet Monitor
  • Norton Antivirus Auto Protect Service
  • Norton Internet Security Accounts Manager
  • Norton Internet Security Proxy Service
  • Norton Internet Security Service 
  • Norton AntiVirus Server
  • Norton AntiVirus Auto Protect Service
  • Norton AntiVirus Client
  • Symantec AntiVirus Client
  • McShield
  • IPSEC Policy Agent
  • DefWatch
  • WMDM PMSP Service

Method of Infection

This virus spreads via Microsoft Outlook (by sending itself to Outlook Address Book recipients) and the mIRC Internet Relay Chat client.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

  • I-Worm.Blare (AVP)
  • W32.Blare@mm (Symantec)
  • WORM_BLARE.A (Trend)

Characteristics

Characteristics -

This threat is deemed Low-Profiled due to media attention at http://www.theregister.co.uk/content/56/32662.html

McAfee users are proactively protected from this threat when scanning with the 4252 DAT files, compressed executables, and the 4.2.40 scan engine.  4.1.60 engine users are also protected under the same scenario, but also require program heuristics.  The detection name varies with DAT file version and engine, and will be along the lines of W32/Generic or New Worm.

The virus is detected as W32/Generic.worm!irc This worm attempts to spread via Microsoft Outlook, and Internet Relay Chat. The worm also terminates security software, contains a Denial of Service attack payload, a web page overwriting payload, and disables the registry editor and task manager. The virus may be received in an email message as follows:

    Subject : (one of the following)
  • Your Account Infomation.
  • Your Account is on hold.
  • Your Account has been suspended.
  • Account Infomation.
  • Account Invoice.
  • Email Account Infomation.
  • This quaters invoice.
  • Account Billing Information.
  • YOUR ACCOUNT REF:
  • ORDER CONFIRMATION:
  • Account,is on hold.
    Body :
  • Dear Sir,

Followed by

  • Please can you check that your account information is up to date.
    Your details are attached to this email.
  • Please can you confirm that your account information is correct.
    Your current details are attached to this email.
  • Please find attached this quaters invoice for your Internet Account. 
  • Please find your details attached. Thank you.
    Details are attached to this email. 

Followed by

  • Regards, Billing Team.
    Regards, Support Team.
    Attachment : (one of the following)
  • Account Invoice.Doc.exe
  • Your Account.Doc.exe
  • Account Details.Doc.exe
  • Your Account Info.Doc.exe
  • Account Information.Doc.exe
  • Billing Information.Doc.exe
  • Invoice.Doc.exe
  • Account Update.Doc.exe
  • Account Status.Doc.exe
  • Your Account Status.exe

For example:

When the attachment is run (manually accessed with the mouse or keyboard), the virus attempts to copy itself to the PROGRA~1 (Program Files) directory as ACCOUNT_DETAILS.DOC.exe. This failed during testing. A registry key is created to load this, non-existent, file:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Run "Windows Task Manager" = c:\progra~1\ACCOUNT_DETAILS.DOC.exe
A file named WIN32.SORT-IT-OUT-BLAIR.TXT is created on the root directory of the C: drive. This file contains the following text:
  • Infected by the WIN32.SORT-IT-OUT-BLAIR Virus!
The virus contains a payload to overwrite the following files with this text:
  • c:\inetpub\wwwroot\default.asp
  • c:\inetpub\wwwroot\default.htm
  • c:\inetpub\wwwroot\default.html
  • c:\inetpub\wwwroot\index.asp
  • c:\inetpub\wwwroot\index.htm
  • c:\inetpub\wwwroot\index.html
The mIRC script is overwritten with instructions to send the virus to users who join the same channel as the infected user. The following message is sent along with the virus:
    Hey, Do you want to take part of the iRC chain mail world record? If so all you have to do is load up the program add your irc nick and press submit! Just rename the file from .irc to .exe and your ready to go!
The following registry keys are created to disable the registry editor and task manager:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    Policies\System "DisableRegistryTools" = 1
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    Policies\System "DisableTaskMgr" = 1
On the 11th of the month, an ICMP denial of service attack is launched on the domain www.number-10.gov.uk .

Symptoms

Symptoms -

The virus terminates the following processes:

  • ADVXDWIN.EXE
  • ALERTSVC.EXE
  • ALOGSERV.EXE
  • AMON9X.EXE
  • ANTI-TROJAN.EXE
  • ANTS.EXE
  • APVXDWIN.EXE
  • ATCON.EXE
  • ATUPDATER.EXE
  • ATWATCH.EXE
  • AUTODOWN.EXE
  • AVCONSOL.EXE
  • AVE32.EXE
  • AVGCC32.EXE
  • AVGCTRL.EXE
  • AVGSERV.EXE
  • AVGSERV9.EXE
  • AVGW.EXE
  • AVKSERV.EXE
  • AVNT.EXE
  • AVP.EXE
  • AVP32.EXE
  • AVPCC.EXE
  • AVPDOS32.EXE
  • AVPM.EXE
  • AVPTC32.EXE
  • AVPUPD.EXE
  • AVSCHED32.EXE
  • AVSYNMGR.EXE
  • AVWIN95.EXE
  • AVWINNT.EXE
  • AVWUPD32.EXE
  • AVXMONITOR9X.EXE
  • AVXMONITORNT.EXE
  • AVXQUAR.EXE.EXE
  • AVXW.EXE
  • AgentSvr.exe
  • AutoTrace.exe
  • Avgctrl.exe
  • Avsched32.exe
  • BLACKD.EXE
  • BLACKICE.EXE
  • CFIADMIN.EXE
  • CFIAUDIT.EXE
  • CFINET.EXE
  • CFINET32.EXE
  • CLAW95.EXE
  • CLAW95CF.EXE
  • CLEANER.EXE
  • CLEANER3.EXE
  • CMGRDIAN.EXE
  • CONNECTIONMONITOR.EXE
  • CPD.EXE
  • CPDCLNT.EXE
  • DEFWATCH.EXE
  • DOORS.EXE
  • DVP95.EXE
  • DVP95_0.EXE
  • ECENGINE.EXE
  • EFPEADM.EXE
  • ESAFE.EXE
  • ESPWATCH.EXE
  • ETRUSTCIPE.EXE
  • EVPN.EXE
  • EXPERT.EXE
  • F-AGNT95.EXE
  • F-PROT.EXE
  • F-PROT95.EXE
  • F-STOPW.EXE
  • FINDVIRU.EXE
  • FP-WIN.EXE
  • FPROT.EXE
  • FRW.EXE
  • GENERICS.EXE
  • GUARD.EXE
  • GUARDDOG.EXE
  • IAMAPP.EXE
  • IAMSERV.EXE
  • IBMASN.EXE
  • IBMAVSP.EXE
  • ICLOAD95.EXE
  • ICLOADNT.EXE
  • ICMON.EXE
  • ICSUPP95.EXE
  • ICSUPPNT.EXE
  • IFACE.EXE
  • IOMON98.EXE
  • ISRV95.EXE
  • InoRT.exe
  • InoRpc.exe
  • InoTask.exe
  • JEDI.EXE
  • LDNETMON.EXE
  • LDPROMENU.EXE
  • LDSCAN.EXE
  • LOCKDOWN.EXE
  • LOCKDOWN2000.EXE
  • LOOKOUT.EXE
  • LUALL.EXE
  • LUCOMSERVER.EXE
  • MCAGENT.EXE
  • MCMNHDLR.EXE
  • MCSHIELD.EXE
  • MCTOOL.EXE
  • MCUPDATE.EXE
  • MCVSRTE.EXE
  • MCVSSHLD.EXE
  • MGAVRTCL.EXE
  • MGAVRTE.EXE
  • MGHTML.EXE
  • MINILOG.EXE
  • MONITOR.EXE
  • MOOLIVE.EXE
  • MPFTRAY.EXE
  • MWATCH.EXE
  • N32SCANW.EXE
  • NAVAPSVC.EXE
  • NAVAPW32.EXE
  • NAVLU32.EXE
  • NAVNT.EXE
  • NAVW32.EXE
  • NAVWNT.EXE
  • NDD32.EXE
  • NETUTILS.EXE
  • NISSERV.EXE
  • NISUM.EXE
  • NMAIN.EXE
  • NORMIST.EXE
  • NPROTECT.EXE
  • NPSSVC.EXE
  • NSCHED32.EXE
  • NTVDM.EXE
  • NTXconfig.exe
  • NUPGRADE.EXE
  • NVC95.EXE
  • NWService.exe
  • NWTOOL16.EXE
  • Navapw32.exe
  • NeoWatchLog.exe
  • Nui.EXE
  • PADMIN.EOUTPOST.EXE
  • PADMIN.EXE
  • PAVCL.EXE
  • PAVSCHED.EXE
  • PAVW.EXE
  • PCCIOMON.EXE
  • PCCWIN98.EXE
  • PCFWALLICON.EXE
  • PERSFW.EXE
  • POP3TRAP.EXE
  • POPROXY.EXE
  • PORTMONITOR.EXE
  • PROCESSMONITOR.EXE
  • PVIEW95.EXE
  • RAV7.EXE
  • RAV7WIN.EXE
  • REALMON.EXE
  • RESCUE.EXE
  • RTVSCN95.EXE
  • Realmon.exe
  • SAFEWEB.EXE
  • SCAN32.EXE
  • SCAN95.EXE
  • SCANPM.EXE
  • SCRSCAN.EXE
  • SERV95.EXE
  • SMC.EXE
  • SPHINX.EXE
  • SPYXX.EXE
  • SS3EDIT.EXE
  • SWEEP95.EXE
  • SWNETSUP.EXE
  • SYMPROXYSVC.EXE
  • SYMTRAY.EXE
  • SymProxySvc.exe
  • TBSCAN.EXE
  • TC.EXE
  • TCA.EXE
  • TCM.EXE
  • TDS-3.EXE
  • TDS2-98.EXE
  • TDS2-NT.EXE
  • TFAK.EXE
  • VET32.EXE
  • VET95.EXE
  • VETTRAY.EXE
  • VIR-HELP.EXE
  • VPC32.EXE
  • VPTRAY.EXE
  • VSCAN40.EXE
  • VSCHED.EXE
  • VSECOMR.EXE
  • VSHWIN32.EXE
  • VSMAIN.EXE
  • VSMON.EXE
  • VSSTAT.EXE
  • VbCons.exe
  • WATCHDOG.EXE
  • WEBSCANX.EXE
  • WEBTRAP.EXE
  • WFINDV32.EXE
  • WGFE95.EXE
  • WIMMUN32.EXE
  • WRADMIN.EXE
  • WRCTRL.EXE
  • ZAPRO.EXE
  • ZONEALARM.EXE
  • _AVP32.EXE
  • _AVPCC.EXE
  • _AVPM.EXE
  • apvxdwin.exe
  • avkpop.exe
  • avkservice.exe
  • avkwctl9.exe
  • defscangui.exe
  • fameh32.exe
  • fch32.exe
  • fih32.exe
  • fnrb32.exe
  • fsaa.exe
  • fsav32.exe
  • fsgk32.exe
  • fsm32.exe
  • fsma32.exe
  • fsmb32.exe
  • gbmenu.exe
  • gbpoll.exe
  • zapro.exe
  • iamapp.exe
  • netstat.exe
  • nisum.exe
  • ntrtscan.EXE
  • nvsvc32.exe
  • pavproxy.exe
  • pccntmon.EXE
  • pccwin97.EXE
  • pcscan.EXE
  • regedit.exe
  • sbserv.exe
  • sscansvc.exe
  • taskmgr.exe
  • vbcmserv.exe
  • vsmon.exe
  • zonealarm.exe

The virus attempts to stop the following services:

  • Event Log
  • Messenger
  • Zonealarm
  • TrueVector Internet Monitor
  • Norton Antivirus Auto Protect Service
  • Norton Internet Security Accounts Manager
  • Norton Internet Security Proxy Service
  • Norton Internet Security Service 
  • Norton AntiVirus Server
  • Norton AntiVirus Auto Protect Service
  • Norton AntiVirus Client
  • Symantec AntiVirus Client
  • McShield
  • IPSEC Policy Agent
  • DefWatch
  • WMDM PMSP Service

Method of Infection

Method of Infection -

This virus spreads via Microsoft Outlook (by sending itself to Outlook Address Book recipients) and the mIRC Internet Relay Chat client.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A