Backdoor:Win32/Xtrat.G is a trojan that allows backdoor access and control of the user's computer by a remote attacker.

Threat behavior


Backdoor:Win32/Xtrat.G copies itself into the user's computer as:


It drops the following configuration file in your computer:


It deletes the following file, if it exists:


It creates the following registry entry so that its copy automatically runs every time Windows starts:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Sets value: "HKLM"
With data: "%windir%\installdir\server.exe"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Sets value: "HKCU"
With data: "%windir%\installdir\server.exe"

In subkey: HKLM\Software\Microsoft\Active Setup\Installed Components\{V7Q00MK3-L24R-PN68-B12Y-RF4POJ8W5312} Sets value: "StubPath"
With data: "%windir%\installdir\server.exe restart"


Downloads other files

Backdoor:Win32/Xtrat.G may download other files. It's known to connect to connect to the server in "" via TCP port 1579 to download the following files:

  • ((mutex)).dat
  • ((mutex)).xtr
  • 1234567890.functions

The server is inaccessible at the time of this writing.

Allows backdoor access and control

If Backdoor:Win32/Xtrat.G successfully connects to the server in "", it can receive commands to do certain actions on the user's computer, for example:

  • Log keystrokes
  • Get screenshots of the user's desktop
  • Get shots of the user's location using the webcam
  • Open a command prompt
Community content is available under CC-BY-SA unless otherwise noted.