BKDR_XTRAT.LTY

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It steals system information. It logs a user's keystrokes to steal information.

Arrival Details

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This backdoor drops the following non-malicious files:

• %Application Data%\Microsoft\Windows\{Random File Name}.cfg
• %Application Data%\Microsoft\Windows\{Random File Name}.xtr
• %Application Data%\plugin.dat
• %Application Data%\2.ico
• %Current Folder%\plugin.dat
• %User Temp%\winxp7
• %User Temp%\winxp8
• %Application Data%\Rood.3gp
• %Application Data%\GDIPFONTCACHEV1.DAT
• %User Temp%\2.ico
• %User Temp%\.exe

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)

It drops the following copies of itself into the affected system:

• %Application Data%\IDF.exe
• %Application Data%\Microsoft Word Update.exe
• %Application Data%\tempp.exe
• %Application Data%\winrar.exe
• %Application Data%\smss.exe
• %User Temp%\Microsoft Word.exe

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• brSTgHafH

It injects threads into the following normal process(es):

• %System%\sethc.exe

(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.)

Autostart Technique

This backdoor drops the following shortcut pointing to its copy in the User Startup folder to enable its automatic execution at every system startup:

•         .lnk

Other System Modifications

This backdoor adds the following registry entries as part of its installation routine:

HKEY_CURRENT_USER\Software\WinRAR SFX
{Malware Path} = {Malware Path}

HKEY_CURRENT_USER\Software\XtremeRAT
Mutex = {Random Values}

It adds the following registry keys as part of its installation routine:

HKEY_CLASSES_ROOT\qv1668809101y.oac

HKEY_CURRENT_USER\Software\IDF 23-9

HKEY_CLASSES_ROOT\he1779463363a.pqb

HKEY_CURRENT_USER\Software\yjudhfvjndghjghj

HKEY_CLASSES_ROOT\rz1263048663h.byi

HKEY_CURRENT_USER\Software\brSTgHafH

HKEY_CLASSES_ROOT\ep1839519877p.otz

HKEY_CURRENT_USER\Software\remote

HKEY_CLASSES_ROOT\pe1771047725g.bgt

Backdoor Routine

This backdoor opens the following port(s) where it listens for remote commands:

• TCP port 50001
• TCP port 12001

It connects to the following URL(s) to send and receive commands from a remote malicious user:

• {BLOCKED}3.no-ip.net
• {BLOCKED}1.no-ip.net
• skype.{BLOCKED}p3.com
• {BLOCKED}f.blogsite.org
• test.{BLOCKED}odem.org
• {BLOCKED}2.no-ip.net

Information Theft

This backdoor steals system information.

It logs a user's keystrokes to steal information.

Stolen Information

This backdoor saves the stolen information in the following file:

• %Application Data%\logs.dat
• %Application Data%\winxplog.dat
• %Current Folder%\logs.dat
• %Application Data%\Microsoft\Windows\{Random File Name}.dat

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)