W32/Xirtem@@MM is a fast-spreading and active worm, discovered in late 2008, that uses a variety of methods to propagate. The principal way of infecting other machines is by sending a copy of itself via email. To do that, the malware uses its own SMTP client. In addition, one of the most well-known methods employed by this threat is to infect USB drives by creating autorun.inf files. This method works well because Xirtem will execute when an infected USB drive is inserted into any Windows computer that has enabled the AutoRun feature. Another way the worm spreads is via peer-to-peer (P2P) networking, by copying itself to shared folders commonly used by P2P file-sharing applications (such as Grokster, LimeWire, and Morpheus). Seeing worms propagate via email and USB devices is not new. What we have seen from Xirtem that is new is the capability to search for and repack existing executable files on network shares into a self-extracting CAB installer that contains both the user’s clean file(s) as well as a copy of Xirtem.
A cabinet file (.cab) is a compressed file archive (like a .zip or .rar). Cabinet files are commonly used to organize installation files because they can include information about other .cab files that are required for installation. However, .cab files don’t include a mechanism for installing files onto systems; they are only compressed file archives. For this reason, Microsoft provides a separate way for users to extract data: self-extracting cabinet files. Self-extracting cabinet files (SFXs) are normal .cab files plus an executable file (extract.exe) provided by Microsoft. Xirtem tricks users into clicking icons of what appear to be common CAB/SFX files for extracting applications:
When the infected CAB/SFX file is executed, its primary job is to drop a copy of itself in the %tmp%/IXP000.tmp directory (as document.exe), a different executable in the %system% directory (NvMcTray.exe, currently detected as Hiloti) and another DLL with a random name that is also a component of Hiloti in the %windows% directory. The execution order of the threat follows:
During execution we see only Hiloti. So who is sending malicious emails and infecting USB sticks when they are connected to the infected machine? The answer is Xirtem. However, we can’t see Xirtem because the process is hidden from Task Manager. In other words: This malware has rootkit functionality. Further, the newest capability of Xirtem is infecting executable files on network shares using the command-line tool iexpress to compress clean and malicious files together and create a CAB/SFX file. The process executing this task is not Hiloti, as we might think after reviewing the execution order; it’s actually Xirtem using the hidden process located in the %tmp% folder. A short command-line screen shows the malware running the CAB/SFX infection:
This process will be triggered only if a network share is mounted as a network drive (using Windows’ “Map Network Drive” function) and only if the share contains executable files. There are two ways to recover the clean executable and delete the malicious one:
- Run the following command from the command line: filename.exe /T:<temporary folder> /C /Q (for example X:\>notepad.exe /T:X:\temp /C /Q). This command will extract both files to the <temporary folder> specified above. After that, run On-Demand Scan to detect and remove the malicious file.
- Install file compression software such as 7-Zip to open the CAB/SFX file and extract the clean file. Afterward, consider deleting the original infected executable:
W32/Xirtem@MM is a very active worm that tries to spread itself using a wide variety of methods. Xirtem also has some unpleasant characteristics, such as dropping other pieces of malware (Hiloti) and hiding itself using rootkit functionality. This threat includes the CAB/SFX infection vector, which for nontechnical users could be unexpected and hard to combat. Fortunately, it is easy to recover the clean files infected on network shares using the two methods I’ve mentioned here. All threats mentioned in this post are detected as W32/Xirtem@MM and W32/Hiloti.gen.[variant] in the current DATs.