[Malware Review] Win32.Xorer.EK

The virus that doesn

If you thought you had seen everything in terms of malware infection, here’s a news flash: there’s a new wonder-virus that doesn’t infect your binary files, but rather swallows them all.

Win32.Xorer.EK is an extremely discrete e-threat that, once on the computer, will constantly force you into visiting various websites. Unlike its siblings that corrupt and destroy other files, it prepends the target-executable to itself, as shown:

 More than that, in order not to cast any suspicion to the user, it simply borrows the legitimate application’s icon. The only symptoms that might hint the user about an infection are:

  • The presence of a “.pif”-appended file inside documents and settings[user-name]Start MenuProgramsStartup
  • The presence of a hidden file named “pagefile.pif”, and an autorun.inf file inside root directories of drives pointing at it;
  • A slight increase in the file’s size (about 64 Kilobytes of extra code);
  • Any signs of slowdowns or forceful advertisements inside the Internet Explorer

About the author


A blend of teacher and technical journalist with a pinch of e-threat analysis, Loredana Botezatu writes mostly about malware and spam. She believes that most errors happen between the keyboard and the chair. Loredana has been writing about the IT world and e-security for well over five years and has made a personal goal out of educating computer users about the ins and outs of the cybercrime ecosystem.