The original malware file is packed with FSG packer. After unpacking it does an interesting trick to avoid being detected by H.I.P.S systems or any other application that has some kind of firewall action.

The malware desquises itself as an Internet Explorer process. It creates a suspended instance of Internet Explorer, it decrypts and injects it’s malicious code into the executable image of the newly created process and resumes the instance of IE modifying the instruction flow to point to the injected code. Now the malicious code runs as a legitimate Internet Explorer serving itself of all the rights and firewall exceptions of such a process.

After installing itself into the infected computer, Xorpix opens a backdoor connection inviting the attacker to use this computer as a proxy for other malicious activities. The attacker is announced of the infection with a http request using a carefully crafted URL that contains the host’s address, open port and other information about the infected computer such as the version of the operating system.

Trojan.Proxy.Xorpix.B is part of a family of trojans that allow a remote attacker to control the infected machine and use it to direct traffic to the internet without the user’s knowledge, making it part of a large network of infected computers.

Xorpix opens up a large security hole on your computer and is a very dangerous threat to the security of your personal and financial data. Xorpix installs as a hidden system file and can be extremely difficult to manually remove.

More details here.

About the author


We're a sublime alloy of intelligence, strength and willpower. We have the sharp mind of the wolf and the sleekness of the dragon, the vigilance of the alpha-male and the indestructibility of the snake's body. We are a unique combination of symbols that fight on Good's side.