Home / malwarePDF  

Backdoor:Win32/Xtrat


First posted on 31 March 2015.
Source: Microsoft

Aliases :

There are no other names known for Backdoor:Win32/Xtrat.

Explanation :

Threat behavior

This backdoor is a remote access tool (RAT) that is used by malware authors to install malware on your PC.

Installation

When run, it drops copy to varying folder location using random filename. Among possible folder locations are:

  • %SystemRoot% \
  • \
  • %APPDATA% \


For example, we have seen it drop server.exe to the folder InstallDir.

It changes the following registry entry so that it runs each time you start your PC:

In subkey: HKLM\Software\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath\
Sets value: "\install\server.exe restart"

It may open a new prcocess and inject code into it. It may do this to try to hide from security software.

Spreads through


Removable drives

It can create copies of itself on removable drives, such as USB flash drives.

It creates an autorun.inf file in the root folder of the removable drive. The file has instructions to launch the malware automatically when the removable drive is connected to a PC with the Autorun feature turned on.

This is a common way for malware to spread. However, autorun.inf files on their own are not necessarily a sign of infection; they are also used by legitimate programs.

File sharing websites

The threat might be downloaded from a file sharing website. You might try to download an app, and instead have this malware installed on your PC.

Payload


Steals sensitive data

This threat can:

  • Install a keylogger on the computer, to record what you type on your keyboard (including passwords).
  • Capture screenshots of your desktop
  • Record images from your webcam
  • Record audio from your webcam or microphone


It can regularly send the collected report to a remote server. We have seen it try to connect to the following servers:

  • 58.138.194.5
  • googlechrom2e.linkpc.net
  • sercan860.zapto.org


It might use IP redirection or masking services to hide the server.

Additional information

The threat creates the following mutexes:

  • ((Mutex))
  • XTREMEUPDATE


These can be infection markers to prevent more than one copy of the threat running on your PC.



Analysis by Mihai Calota

Symptoms

The following can indicate that you have this threat on your PC:

  • You see this entry or key in your registry:

    In subkey: HKLM\Software\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath\
    Sets value: "\install\server.exe restart"

Last update 31 March 2015

 

TOP

Malware :