W32/Xorer-D is a worm for the Windows platform.

W32/Xorer-D includes functionality to access the internet and communicate with a remote server via HTTP.

When first run W32/Xorer-D creates several files. It also creates a COM object for the file netcfg.dll, creating registry entries under:


HKCR\CLSID\{450EC9C4-0F7F-B084-D1147FE9DDCC}

The file NetApi000.sys is registered as a new system driver service named "NetApi000", with a display name of "NetApi000." Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\NetApi000

Registry entries are set as follows:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden
Type
radio

W32/Xorer-D attempts to spread to removable media drives by copying AUTORUN.INF and pagefile.pif to the root folder of inserted drives.

More information can be found at this Sophos page.