Category: Viruses and Spyware
Type: Win32 worm
Prevalence: No Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Xipi-A is a P2P worm for the Windows platform.

W32/Xipi-A spreads via file sharing on WinMX, Tesla, LimeWire, Morpheus, eMule, Overnet, eDonkey2000, Bearshare, KCeasy, Grokster, ICQ, TorrenTopia, Kazaa and Kazaa Lite networks. W32/Xipi-A may email itself to contacts in the Microsoft Outlook address and Windows address books.

W32/Xipi-A includes functionality to steal confidential information and inject its code into EXPLORER.EXE.

When first run W32/Xipi-A copies itself to <System>\jxef1104.exe.

W32/Xipi-A then searches for the abovementioned P2P applications and copies itself to the shared folders of these applications using any of the following filenames:

PHOTOSHOP CS 2005 (spanish).exe
Enciclopedia Encarta 2005 Deluxe.exe
PHOTOSHOP 8.1 (Spanish version) (plug-in extras).exe
Paulina_Rubio_trasero.jpg .exe
Britney_Spears.jpg .exe
Cristina_Aguilera_nude!.jpg .exe
Rita_Faltoyano_nude_trasero.jpg .exe
Bradd_Pitt_nude.jpg .exe
fotos_Bisbal_playa_2004.jpg .exe
5_fotos_de_BISBAL_2003.jpg .exe
Nacho_Vidal_por_la_puerta_trasera.mpg .exe
Cannabis.jpg .exe
XXX_.jpg .exe
VideoX_con_fotos_nenazas.mpg .exe
Sex.mpeg .exe
HardPorn.mpg .exe
10_big_images_Jenna_Jameson.jpg .exe
las_mejores_imagenes_de_Rocio_Madrid.jpg .exe
la_verdadera_cara_de_Lokutus_(imagenes_y_emails).jpg .exe
la_verdadera_jeta_de_GriYo_(imagenes_y_emails).jpg .exe
la_verdadera_cara_de_NetSAVAGE_(imagenes_y_emails).jpg .exe
la_verdadera_cara_de_Nennito_(imagenes_y_emails).jpg .exe
la_verdadera_jeta_de_Garrafon_(imagenes_y_emails).jpg .exe
la_verdadera_jeta_de_GuYRuleZ_(imagenes_y_emails).jpg .exe
la_verdadera_cara_de_TeToniK_(imagenes_y_emails).jpg .exe
las_fotos_de_Tella_y_milon_dandose_el_lote_(montaje_PhotoSho .exe
10_imagenes_de_Harry_Potter.jpg .exe
ZIP_extractor_las_fotos_de_Patricia_Gaztanaga.jpg .exe
SOFIA_NIETO_PACK_mejores_fotos.jpg .exe
formula_de_la_polvora.zip .exe
mis_fotos.jpg .exe
documentos_privados_23F.jpg .exe
documentos_ineditos_11S.jpg .exe
imagenes_ineditas_golpe_estado_23F.jpg .exe
no_compartir_mi_novia_en_pelotas.mpg. .exe
lo_mas_duro_del_porno_casero.jpg .exe
las_fotos_de_Irak_(ineditas!!!).jpg .exe
s_CAP3.jpg .exe
HUMANO.jpg .exe
MUSIC.jpg .exe
MUJER.jpg .exe
HOMBRE.jpg .exe
CONFESION.jpg .exe
INFIEL.jpg .exe
BELLEZA.jpg .exe
LISTArc.jpg .exe
DESEOS.jpg .exe
SECRETO.jpg .exe
CLAVE.jpg .exe
YO.jpg .exe
FEOS.jpg .exe
PASION.jpg .exe
CITA2.jpg .exe
GORDA.jpg .exe
CUERPO.jpg .exe
MONSTRUO.jpg .exe
JOVEN.jpg .exe
Depeche_Mode_caratulas.jpg .exe
GriYo.jpg .exe
FreiHeit.jpg .exe
Slow.jpg .exe
Zert.jpg .exe
bi0s.jpg .exe
khanete.jpg .exe
VeNt0r.jpg .exe
ByTracK.jpg .exe
SourViVor.tiff .exe
OuterMind.jpg .exe
ViR[-_-].jpg .exe
[Pr0zAk].jpg .exe
n8fall.jpg .exe
V|RuZ.jpg .exe
Xezaw.jpg .exe
Rojie.jpg .exe
Voider.jpg .exe
ASzY.jpg .exe
Pr0zAk.jpg .exe
NiGtHmArE.jpg .exe
Radar.jpg .exe
_kRaKeR_.jpg .exe
Virico.jpg .exe
ShAdOwS_T.jpg .exe
The6Guest.jpg .exe
The7Guest.jpg .exe
The8Guest.jpg .exe
The9Guest.jpg .exe
TheWizard.jpg .exe
Tux.jpg .exe
W666_.jpg .exe
GoN_.jpg .exe
rmd160.jpg .exe
Gon_.jpg .exe
eSn_mTn.jpg .exe
_isaac_.jpg .exe
ReeD_.jpg .exe
[sick].jpg .exe
FreSnor.jpg .exe
GomeZ.jpg .exe
krabe_.jpg .exe
iS0tope.jpg .exe
FREEDOM.jpg .exe
MeTaLGoD.jpg .exe
Wintermute.jpg .exe
cintas_del_11M.jpg .exe
caja_negra_avion_11S.jpg .exe
pocholo_en_pelotas_saliendo_del_rio.jpg .exe
Aida_Gran_Hermano_la_foto_censurada.jpg .exe
Julia_Otero_tanga.jpg .exe
Sarda_despotrica_contra_Rocio_Madrid.jpg .exe
Ibarretxe_a_microfono_cerrado.jpg .exe
captura_primer_plan_Ibarretxe.jpg .exe
caratula_Buleria_David_Bisbal.jpg .exe
Tom_Cruise_vestuario_El_Ultimo_Samurai.jpg .exe
Pamela_Anderson_antes_y_despues.jpg .exe

Once installed W32/Xipi-A creates a ZIP file of the worm as <current folder>\<pathname of the worm executable>.zip and an encrypted version of the worm as jxef_n3x763n3r47ion.tea These 2 files are also detected as W32/Xipi-A.

W32/Xipi-A also creates the following files:


These files may be deleted.

The following registry entries are created to run jxef1104.exe on startup: