Home / malwarePDF  

Worm:Win32/Xtrat.C


First posted on 29 July 2015.
Source: Microsoft

Aliases :

There are no other names known for Worm:Win32/Xtrat.C.

Explanation :

Threat behavior

Installation
This threat can create files on your PC, including:

  • %SystemRoot%\dlls\adsl.exe
  • %TEMP% \322htr.exe
  • %TEMP% \710march.exe
  • %TEMP% \710march.exe.exe
  • %TEMP% \dlshosts.exe
  • %APPDATA% \roaming\microsoft\internet explorer\quick launch\launch internet explorer browser.lnk
  • %APPDATA% \roaming\microsoft\windows\start menu\programs\startup\a6bb84e8814fcaa6951c95e3faa45466.exe
  • %USERPROFILE% \documents\msdcsc\msdcsc.exe


It modifies the registry so that it runs each time you start your PC. For example:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "a6bb84e8814fcaa6951c95e3faa45466"
With data: ""c:\users\administrator\appdata\local\temp\dlshosts.exe" .."
Sets value: "HKCU"
With data: "%SystemRoot%\dlls\adsl.exe"
Sets value: "MicroUpdate"
With data: "c:\users\administrator\documents\msdcsc\msdcsc.exe"
In subkey: HKLM\Software\Microsoft\Active Setup\Installed Components\{VTVM542I-8743-2C38-TQKC-K3057FDG022L}
Sets value: "StubPath"
With data: "%SystemRoot%\dlls\adsl.exe"
In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "UserInit"
With data: "\userinit.exe,c:\users\administrator\documents\msdcsc\msdcsc.exe"
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "a6bb84e8814fcaa6951c95e3faa45466"
With data: ""c:\users\administrator\appdata\local\temp\dlshosts.exe" .."
Sets value: "HKLM"
With data: "%SystemRoot%\dlls\adsl.exe"


The malware uses code injection to make it harder to detect and remove. It can inject code into running processes.



Payload


Connects to a remote host

We have seen this threat connect to a remote host, including:
  • datac1.ddns.net using port 53
  • mz3ro.no-ip.org using port 53
Malware can connect to a remote host to do any of the following:
  • Check for an Internet connection
  • Download and run files (including updates or other malware)
  • Report a new infection to its author
  • Receive configuration or other data
  • Receive instructions from a malicious hacker
  • Search for your PC location
  • Upload information taken from your PC
  • Validate a digital certificate


It can stop some processes from running on your PC, including:

  • iexplore.exe


This malware description was published using automated analysis of file SHA1 23d254568fdf6a4929172d2d6e455366eabbe7c4.

Symptoms

The following can indicate that you have this threat on your PC:

  • You see a file similar to:
    • %SystemRoot%\dlls\adsl.exe
    • %TEMP% \322htr.exe
    • %TEMP% \710march.exe
    • %TEMP% \710march.exe.exe
    • %TEMP% \dlshosts.exe
    • %APPDATA% \roaming\microsoft\internet explorer\quick launch\launch internet explorer browser.lnk
    • %APPDATA% \roaming\microsoft\windows\start menu\programs\startup\a6bb84e8814fcaa6951c95e3faa45466.exe
    • %USERPROFILE% \documents\msdcsc\msdcsc.exe
  • You see registry modifications such as:
    • In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
      Sets value: "a6bb84e8814fcaa6951c95e3faa45466"
      With data: ""c:\users\administrator\appdata\local\temp\dlshosts.exe" .."

    • In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
      Sets value: "HKCU"
      With data: "%SystemRoot%\dlls\adsl.exe"

    • In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
      Sets value: "MicroUpdate"
      With data: "c:\users\administrator\documents\msdcsc\msdcsc.exe"

    • In subkey: HKLM\Software\Microsoft\Active Setup\Installed Components\{VTVM542I-8743-2C38-TQKC-K3057FDG022L}
      Sets value: "StubPath"
      With data: "%SystemRoot%\dlls\adsl.exe"

    • In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
      Sets value: "UserInit"
      With data: "\userinit.exe,c:\users\administrator\documents\msdcsc\msdcsc.exe"

    • In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
      Sets value: "a6bb84e8814fcaa6951c95e3faa45466"
      With data: ""c:\users\administrator\appdata\local\temp\dlshosts.exe" .."

    • In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
      Sets value: "HKLM"
      With data: "%SystemRoot%\dlls\adsl.exe"

Last update 29 July 2015

 

TOP

Malware :

Family: