FANDOM


Backdoor:Win32/Xtrat.G is a trojan that allows backdoor access and control of the user's computer by a remote attacker.

Threat behavior

Installation

Backdoor:Win32/Xtrat.G copies itself into the user's computer as:

%windir%\installdir\server.exe

It drops the following configuration file in your computer:

%AppData%\Microsoft\Windows\((Mutex)).cfg

It deletes the following file, if it exists:

%Temp%\x.html

It creates the following registry entry so that its copy automatically runs every time Windows starts:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Sets value: "HKLM"
With data: "%windir%\installdir\server.exe"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Sets value: "HKCU"
With data: "%windir%\installdir\server.exe"

In subkey: HKLM\Software\Microsoft\Active Setup\Installed Components\{V7Q00MK3-L24R-PN68-B12Y-RF4POJ8W5312} Sets value: "StubPath"
With data: "%windir%\installdir\server.exe restart"

Payload

Downloads other files

Backdoor:Win32/Xtrat.G may download other files. It's known to connect to connect to the server in "memo6767.no-ip.org" via TCP port 1579 to download the following files:

  • ((mutex)).dat
  • ((mutex)).xtr
  • 1234567890.functions

The server is inaccessible at the time of this writing.

Allows backdoor access and control

If Backdoor:Win32/Xtrat.G successfully connects to the server in "memo6767.no-ip.org", it can receive commands to do certain actions on the user's computer, for example:

  • Log keystrokes
  • Get screenshots of the user's desktop
  • Get shots of the user's location using the webcam
  • Open a command prompt
Community content is available under CC-BY-SA unless otherwise noted.