xrun.exe & xpre.exe

[Cross]

I just thought you guys might want to include xrun.exe & xpre.exe in your list of blacklist files.

They are usually found in the "C:\Local Settings\"user"\temp" folder.  They usually launch other services/actions.

These files have been listed pretty much everywhere else as threats (trojans/trojan loaders, etc.).

I've had to manually remove these files on many systems.  Most of these systems have Avast running. 

This is very annoying.  Please fix this in the next database update.

Thanks in advance.

[DavidR]

Listing a file name is pointless as there is no guarantee based on file names. What is needed are samples so that they can be analysed, signatures of malware can be made, it is these signatures that are the method of detection and not file names which can and do change.

Send the sample to virus@avast.com zipped and password protected with password in email body and false positive/undetected malware in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently 30 different scanners.

Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. Whichever scanner you use, you can't do this with the file in the chest, you will need to move it out.

[polonus]

Hi Cross and DavidR,

Then there is another thing here, it is depends where this file runs to flag it as malware. Some malware poses as genuine files or with similar to genuine file names.
xrun.exe file information

The process belongs to the software XRUN.EXE by unknown.

Description: File xrun.exe is located in the folder C:\Windows\System32. The file size on Windows XP is 26624 bytes.
The program has a visible window. Program has no file description. The application is loaded during the Windows boot process (see Registry key: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run). xrun.exe is not a Windows system file. xrun.exe is able to monitor applications. Therefore the technical security rating is 36% dangerous.

Important: Some malware camouflage themselves as xrun.exe, particularly if they are located in c:\windows or c:\windows\system32 folder. Thus check the xrun.exe process on your pc whether it is pest. You can use Security Task Manager for verifying your computer's security.

For xpre.exe a spyware executable see the info here:
http://virusinfo.prevx.com/pxparall.asp?PXC=25b2101823694

polonus

[Cross]

Thank you very much for your replies.

The problem is the files themselves are not the malware.  Thus, they do not have the signatures that avast would look for.

They are usually dropped in from a site and triggered with a js.  They reside in memory, releasing startuip scripts, cloaked until the user restarts the machine.  That is when the problems begin (during restart).

The code the files release is implemented at startup and new rendom files are created (including reg entries) that are trojans, malware, etc.

Therefore, the infections that are picked up are true infections, but they are not the actual cause.  The actual causes are xrun.exe and xpre.exe.  These files eventually show up in prefetch as well.

Another interesting thing I have seen that these files actually mutate in time as well.  That is why truly pinpointing the signatures could prove to be quite difficult.  That is why I was requesting a possible "blacklist" of these file names. 

xrun.exe and xpre.exe are not used in any current software package that I am aware of.  Blacklisting would be a good way to prevent infection in special cases such as this.

I'm not trying to upset anyone with this.  I am just making a suggestion that would help myself and others be more productive.

[Cross]

Here is a quote from http://www.prevx.com/filenames/X8510371679546213-1909066805/XRUN.EXE.html

*****************************************
The unsafe files using this name are associated with the malware group CWS.Paytime-Hijacker.Some files using the name XRUN.EXE are also associated with the malware group:


Trojan.Banker
These files have no vendor, product or version information specified in the file header.


XRUN.EXE has been seen to perform the following behavior(s):
This Process Creates Other Processes Executes a Process Writes to another Process's Virtual Memory (Process Hijacking) This Process Deletes Other Processes Adds of a Registry Key (RUN) to auto start Programs on system start up Makes outbound connections to other computers using NETBIOSOUT protocols Registers a Dynamic Link Library File Can communicate with other computer systems using HTTP protocols Can make outbound communication to other computers, IM chat rooms and other services using IRC protocols Disables the DCOM Ability within Windows Can communicate with other computers using TCP protocols The Process is packed and/or encrypted using a software packing process Enables an In Process Object/Server - Common with DLL Injections Creation and Registration of a Browser Helper Object in Internet Explorer The Process is polymorphic and can change its structure Executes Processes stored in Temporary Folders Registers a Windows APPINIT DLL To be loaded in all processes

XRUN.EXE has been the subject of the following behavior(s):
Executed a Process Writes to another Process's Virtual Memory (Process Hijacking) Addition of a Registry auto start to load Program on Boot up Process creation Process deletion Victim of a Heap Based Buffer Overflow Terminated as a Process Executed from Temporary Folders Executed by Internet Explorer


Some more info is available here:

http://www.lyberty.com/blog/2007/06-june/under-attack.html

and here (xpre.exe):

http://spywarefiles.prevx.com/RRIACJ39139029/XPRE.EXE.html

and here:

http://virusinfo.prevx.com/pxparall.asp?PXC=25b2101823694

[polonus]

Hi Cross,

Thank for your contribution. There are some well known places on the Internet where one could check executables, processes and dll's to check their hashes or size for legitimacy. Google in this respect is your best friend. Users should go there more often to see whether what is running on their computers is OK. A dll check once in a while is no luxury thing.
You have to understand everyone needs a cocktail of security programs to be secure, the days that one AV program and a firewall were enough are alas long gone!
The files you mentioned come in the class "possibly unwanted".

polonus