The original malware file is packed with FSG packer. After unpacking it does an interesting trick to avoid being detected by H.I.P.S systems or any other application that has some kind of firewall action.

The malware desquises itself as an Internet Explorer process. It creates a suspended instance of Internet Explorer, it decrypts and injects it’s malicious code into the executable image of the newly created process and resumes the instance of IE modifying the instruction flow to point to the injected code. Now the malicious code runs as a legitimate Internet Explorer serving itself of all the rights and firewall exceptions of such a process.

After installing itself into the infected computer, Xorpix opens a backdoor connection inviting the attacker to use this computer as a proxy for other malicious activities. The attacker is announced of the infection with a http request using a carefully crafted URL that contains the host’s address, open port and other information about the infected computer such as the version of the operating system.

Trojan.Proxy.Xorpix.B is part of a family of trojans that allow a remote attacker to control the infected machine and use it to direct traffic to the internet without the user’s knowledge, making it part of a large network of infected computers.

Xorpix opens up a large security hole on your computer and is a very dangerous threat to the security of your personal and financial data. Xorpix installs as a hidden system file and can be extremely difficult to manually remove.

More details here.

About the author


The meaning of Bitdefender’s mascot, the Dacian Draco, an ancient symbol that depicts a mythical animal with a wolf’s head and a dragon’s body, is “to watch” and to “guard with a sharp eye.” Like our mascot, we are committed to using Bitdefender Labs, our world-class research team, to vigilantly find and eradicate threats for our customers, and to use our platform for the larger good.