We have seen malware that infects executables operate so that the malicious code runs first, and is then followed by the execution of host file. The malware XDocCrypt takes this a step further. Besides infecting portable executable files, it also infects Microsoft Word and Excel files. In an infected file, the malware body sits at the beginning of the file and is followed by an infection marker [+++scarface+++], which is followed by the host file in encrypted form.
When an infected file containing W32/XDocCrypt is executed, it drops an infector and a shortcut file in a random folder inside %APPDATA%. It also adds the following registry entry for the shortcut file–so that the infector is launched on rebooting.
- load = “path to shortcut file”
Target of shortcut file dropped by malware.
After this, malware decrypts the host file and drops it into the same folder with the original name but with hidden attributes.
The infection routine is not executed until an argument “-launcher” is passed to the malware. This means whenever an infected file is executed, it will not infect other files–as other malware often does–but drops an infector and a shortcut file to launch the infector when rebooting.
W32/XDocCrypt uses the standard RC4 algorithm to encrypt the host files.
W32/XDocCrypt can infect files present in fixed, removable, and remote drives. The malware infects files in a drive only if the attributes of “System Volume Information” in that drive is just a folder. By default, this will have Folder+System+Hidden attributes.
Once prechecks are successful, the malware infects files that have .doc, .xls or .exe in the filename.
Spotting an Infected File:
Once the malware infects a document, it will rename the file. While renaming the file, the malware adds the Unicode character 202E.
test.doc is renamed to testU+202Ecod.scr
test.xls is renamed to testU+202Eslx.scr
Due to the presence of special the Unicode character in the filename, Windows Explorer shows these filenames as testrcs.doc and testrcs.xls. The extension .scr (for screensaver) is not visible. But the file type in Explorer is shown correctly. Even the command prompt will show the infected name correctly, as shown below:
The infected filenames as shown by Windows Explorer.
The infected filenames as shown by the command prompt.
If the malware is running in infection mode, it can be terminated by launching Task Manager.
Recovering the Original File:
Because the encryption used by the malware is symmetric, we can retrieve the original file by using the same key and algorithm.
McAfee products detect this threat as W32/XDocCrypt.a and restore the original file and rename the file to its original state.