{"id":7204,"date":"2011-01-07T15:34:45","date_gmt":"2011-01-07T23:34:45","guid":{"rendered":"http:\/\/blogs.mcafee.com\/?p=7204"},"modified":"2025-06-08T20:06:22","modified_gmt":"2025-06-09T03:06:22","slug":"xirtem-worm-hides-in-cabsfx-files","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/xirtem-worm-hides-in-cabsfx-files\/","title":{"rendered":"Xirtem Worm Hides in CAB\/SFX Files"},"content":{"rendered":"

W32\/Xirtem@@MM is a fast-spreading and active worm, discovered in late 2008, that uses a variety of methods to propagate. The principal way of infecting other machines is by sending a copy of itself via email. To do that, the malware uses its own SMTP client. In addition, one of the most well-known methods employed by this threat is to infect USB drives by creating autorun.inf files. This method works well because Xirtem will execute when an infected USB drive is inserted into any Windows computer that has enabled the AutoRun feature. Another way the worm spreads is via peer-to-peer (P2P) networking, by copying itself to shared folders commonly used by P2P file-sharing applications (such as Grokster, LimeWire, and Morpheus). Seeing worms propagate via email and USB devices is not new. What we have seen from Xirtem that is new is the capability to search for and repack existing executable files on network shares into a self-extracting CAB installer that contains both the user\u2019s clean file(s) as well as a copy of Xirtem.<\/p>\n

A cabinet file (.cab) is a compressed file archive (like a .zip or .rar). Cabinet files are commonly used to organize installation files because they can include information about other .cab files that are required for installation. However, .cab files don\u2019t include a mechanism for installing files onto systems; they are only compressed file archives. For this reason, Microsoft provides a separate way for users to extract data: self-extracting cabinet files. Self-extracting cabinet files (SFXs)<\/a> are normal .cab files plus an executable file (extract.exe) provided by Microsoft. Xirtem tricks users into clicking icons of what appear to be common CAB\/SFX files for extracting applications.<\/p>\n

When the infected CAB\/SFX file is executed, its primary job is to drop a copy of itself in the %tmp%\/IXP000.tmp directory (as document.exe), a different executable in the %system% directory (NvMcTray.exe, currently detected as Hiloti) and another DLL with a random name that is also a component of Hiloti in the %windows% directory.<\/p>\n

 <\/p>\n

During execution we see only Hiloti. So who is sending malicious emails and infecting USB sticks when they are connected to the infected machine? The answer is Xirtem. However, we can\u2019t see Xirtem because the process is hidden from Task Manager. In other words: This malware has rootkit functionality. Further, the newest capability of Xirtem is infecting executable files on network shares using the command-line tool iexpress to compress clean and malicious files together and create a CAB\/SFX file. The process executing this task is not Hiloti, as we might think after reviewing the execution order; it\u2019s actually Xirtem using the hidden process located in the %tmp% folder. A short command-line screen shows the malware running the CAB\/SFX infection.<\/p>\n

Ways to Recover Your Clean Data<\/h2>\n

This process will be triggered only if a network share is mounted as a network drive (using Windows’ \u201cMap Network Drive\u201d function) and only if the share contains executable files. There are two ways to recover the clean executable and delete the malicious one:<\/p>\n