Home / malware W32.Extrat.B
First posted on 21 February 2014.
Source: SymantecAliases :
There are no other names known for W32.Extrat.B.
Explanation :
The worm is usually dropped by a specially crafted Microsoft Word document which exploits vulnerabilities such as the Microsoft Windows Common Controls ActiveX Control Remote Code Execution Vulnerability (CVE-2012-0158).
When the worm is executed, it creates the following folders %UserProfile%\Application Data\Microsoft\Windows\VDB0Wd7T\%Windir%\InstallDir\
The worm then creates the following files: %UserProfile%\Application Data\Microsoft\Windows\VDB0Wd7T\VDB0Wd7T.dat%UserProfile%\Application Data\Microsoft\Windows\VDB0Wd7T\VDB0Wd7T.nfo%UserProfile%\Application Data\Microsoft\Windows\VDB0Wd7T\VDB0Wd7T.svr
The worm then creates the following registry entries so that it runs every time Windows starts: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"HKLM" = "expand:"C:\WINDOWS\InstallDir\Server.exe""HKEY_CURRENT_USER\Software\VDB0Wd7T\"ServerStarted" = "expand:"2/12/2014 7:23:32 AM""HKEY_CURRENT_USER\Software\VDB0Wd7T\"InstalledServer" = "expand:"C:\WINDOWS\InstallDir\Server.exe""HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"HKCU" = "expand:"C:\WINDOWS\InstallDir\Server.exe""
The worm may then perform the following actions: List open windows and running processesStart and kill processesModify servicesManage the Windows registryTransfer and manage filesLog keystrokesActivate the webcamGather information and passwordsCreate a remote shellGather and manipulate content on the clipboard
The worm may then spread through removable drives or P2P file-sharing networks.Last update 21 February 2014
