Home / malware Backdoor:Win32/Xtrat.G
First posted on 20 December 2012.
Source: MicrosoftAliases :
Backdoor:Win32/Xtrat.G is also known as Backdoor/Win32.Xtreme (AhnLab), W32/Xtrat.C.gen!Eldorado (Command), Backdoor.Win32.Xtreme.bid (Kaspersky), TR/Spy.59904216 (Avira), Trojan.Virtumod.11842 (Dr.Web), Win32/Remtasu.Y trojan (ESET), BackDoor-FAJ (McAfee), Backdoor.Win32.Xtreme.a (Rising AV), BKDR_TRATS.SMM (Trend Micro).
Explanation :
Installation
Backdoor:Win32/Xtrat.G copies itself into your computer as:
%windir%\installdir\server.exe
It drops the following configuration file in your computer:
%AppData%\Microsoft\Windows\((Mutex)).cfg
It deletes the following file, if it exists:
%Temp%\x.html
It creates the following registry entry so that its copy automatically runs every time Windows starts:
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "HKLM"
With data: "%windir%\installdir\server.exe"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "HKCU"
With data: "%windir%\installdir\server.exe"
In subkey: HKLM\Software\Microsoft\Active Setup\Installed Components\{V7Q00MK3-L24R-PN68-B12Y-RF4POJ8W5312}
Sets value: "StubPath"
With data: "%windir%\installdir\server.exe restart"
Payload
Downloads other files
Backdoor:Win32/Xtrat.G may download other files. It's known to connect to connect to the server in "memo6767.no-ip.org" via TCP port 1579 to download the following files:
- ((mutex)).dat
- ((mutex)).xtr
- 1234567890.functions
The server is inaccessible at the time of this writing.
Allows backdoor access and control
If Backdoor:Win32/Xtrat.G successfully connects to the server in "memo6767.no-ip.org", it can receive commands to do certain actions on your computer, for example:
- Log keystrokes
- Get screenshots of your desktop
- Get shots of your location using the webcam
- Open a command prompt
Analysis by Jeong Mun
Last update 20 December 2012