Content

MSIL/Xrove.a

Type
Malware
SubType
Worm
Discovery Date
03/16/2006
Length
Minimum DAT
4720 (03/16/2006)
Updated DAT
4720 (03/16/2006)
Minimum Engine
5.1.00
Description Added
03/16/2006
Description Modified
06/20/2007 12:15 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

Non-Mobile Payload (e.g., Windows XP)

  • Copies itself to C:\Windows\.exe
  • Adds itself to one of the Windows-startup registry keys (auto-launch on reboot)
  • Copies and runs itself to any ActiveSync-connected devices (terminates after the first)

Mobile Payload (Windows CE or Windows Mobile)

  • Adds itself to the Windows-Startup directory (auto-launch on reboot) · Deletes files from My Documents\
In all cases is a random integer, so it will likely be 9 or 10 digits in length—any number between 0 and 4294967295.

Symptoms

MSIL/Xrove.A is distributed in an EXE file named “crossover-poc-final.exe”.

On the PC, MSIL/Xrove.A will copy itself to C:\Windows\.exe and then create a registry key to launch this executable upon Windows Startup by placing a key at: SOFTWARE\Microsoft\Windows\CurrentVersion\Run\.

N.b., the C: drive does not necessarily exist on a Windows system and \Windows does not necessarily exist on the C: drive if it does.

Figure 1--MSIL/Xrove.A, sample registry key and File Name

It will then sit in an infinite loop waiting for an Active Sync device to connect to the PC. Once a device does make such a connection, the malware will copy itself onto the remote device to \Windows\.exe and then remotely launch the copied executable.

This malware will then terminate its own process after making this single attempt to infect a remote device. Theoretically, this malware would run on a non-PC that had the proper .NET framework— however, there are API calls that are not likely to be supported (e.g., Remote Device API and Registry). Most likely, it would report a missing library error and terminate without having an affect upon the host (the exception handling code is null). This was the observed case on Linux.

On the remote device, MSIL/Xrove.A will copy itself to the \Windows directory upon launch using a random string as a name. It will not check for its own presence there, or as a process. This, in turn, will cause a geometric growth of the malware upon the mobile device or PC, based upon the number of reboots or ActiveSync connections to an infected PC performed.

Contrary to some public reports, it does not spread from Mobile to PC.

If a vulnerable device is attached to an infected PC, the malware will then do the following:

  • Copy itself onto the mobile at \Windows\.exe
  • Launch the copied executable upon the remote device
  • The remote copy will then do the following:
    • Traverse the \My Documents directory and attempts to delete all files it finds
    • Traverse the entire file-system until it locates \Windows
      • Copies itself to \Windows\.exe
      • Creates a link from within \Windows\Startup to the \Windows\.exe

This causes the mobile to have two copies put upon its system upon initial infection.

The binary has an embedded string in it. It was embedded by the author (by using it as a string-constant in a useless comparison operation) in a manner that would cause it to be revealed only to someone that was directly analyzing the malware. It appears to be a kind of manifesto:

the crossover virus - poc - by Dr. Julius Storm - The great walls of China that separated the domains between wired and wireless, desktop and handhelds have been reduce to ruble. Vxers are entering a new era of greater vx possibilities with the chance of reaching more systems around the world than ever before. The viruses of the past are nothing compared to what the future holds. 2006 marks the establishment of a New Cyberworld Order with vxers around the world united at the forefront. The time is now to prepare and defend, are you ready?

Method of Infection

Removal

Use the latest Engine/Dats

Variants

Variants

    N/A

All Information

Overview -

MSIL/Xrove.A is a Microsoft .NET “proof of concept” dropper. When run, it will infect Windows systems, including Windows Mobile/CE systems. It can also infect from a PC to a Windows PocketPC that is connected via ActiveSync.

Characteristics

Characteristics -

Non-Mobile Payload (e.g., Windows XP)

  • Copies itself to C:\Windows\.exe
  • Adds itself to one of the Windows-startup registry keys (auto-launch on reboot)
  • Copies and runs itself to any ActiveSync-connected devices (terminates after the first)

Mobile Payload (Windows CE or Windows Mobile)

  • Adds itself to the Windows-Startup directory (auto-launch on reboot) · Deletes files from My Documents\
In all cases is a random integer, so it will likely be 9 or 10 digits in length—any number between 0 and 4294967295.

Symptoms

Symptoms -

MSIL/Xrove.A is distributed in an EXE file named “crossover-poc-final.exe”.

On the PC, MSIL/Xrove.A will copy itself to C:\Windows\.exe and then create a registry key to launch this executable upon Windows Startup by placing a key at: SOFTWARE\Microsoft\Windows\CurrentVersion\Run\.

N.b., the C: drive does not necessarily exist on a Windows system and \Windows does not necessarily exist on the C: drive if it does.

Figure 1--MSIL/Xrove.A, sample registry key and File Name

It will then sit in an infinite loop waiting for an Active Sync device to connect to the PC. Once a device does make such a connection, the malware will copy itself onto the remote device to \Windows\.exe and then remotely launch the copied executable.

This malware will then terminate its own process after making this single attempt to infect a remote device. Theoretically, this malware would run on a non-PC that had the proper .NET framework— however, there are API calls that are not likely to be supported (e.g., Remote Device API and Registry). Most likely, it would report a missing library error and terminate without having an affect upon the host (the exception handling code is null). This was the observed case on Linux.

On the remote device, MSIL/Xrove.A will copy itself to the \Windows directory upon launch using a random string as a name. It will not check for its own presence there, or as a process. This, in turn, will cause a geometric growth of the malware upon the mobile device or PC, based upon the number of reboots or ActiveSync connections to an infected PC performed.

Contrary to some public reports, it does not spread from Mobile to PC.

If a vulnerable device is attached to an infected PC, the malware will then do the following:

  • Copy itself onto the mobile at \Windows\.exe
  • Launch the copied executable upon the remote device
  • The remote copy will then do the following:
    • Traverse the \My Documents directory and attempts to delete all files it finds
    • Traverse the entire file-system until it locates \Windows
      • Copies itself to \Windows\.exe
      • Creates a link from within \Windows\Startup to the \Windows\.exe

This causes the mobile to have two copies put upon its system upon initial infection.

The binary has an embedded string in it. It was embedded by the author (by using it as a string-constant in a useless comparison operation) in a manner that would cause it to be revealed only to someone that was directly analyzing the malware. It appears to be a kind of manifesto:

the crossover virus - poc - by Dr. Julius Storm - The great walls of China that separated the domains between wired and wireless, desktop and handhelds have been reduce to ruble. Vxers are entering a new era of greater vx possibilities with the chance of reaching more systems around the world than ever before. The viruses of the past are nothing compared to what the future holds. 2006 marks the establishment of a New Cyberworld Order with vxers around the world united at the forefront. The time is now to prepare and defend, are you ready?

Method of Infection

Method of Infection -

Removal -

Removal -

Use the latest Engine/Dats

Variants

Variants -

    N/A