Win32/XHX [Threat Name] go to Threat
Win32/XHX.AA [Threat Variant Name]
|Detection created||Jul 04, 2013|
|Signature database version||8524|
The trojan serves as a backdoor. It can be controlled remotely.
When executed the trojan copies itself in the following locations:
In order to be executed on every system start, the trojan sets the following Registry entries:
- "Internet.exe" = "Internet.exe"
The trojan may set the following Registry entries:
- "(Default)" = "uaiia.exe %1"
The trojan modifies the following file:
The trojan writes the following entries to the file:
- "Run" = "%windir%\Explore.exe"
The trojan may create the text file:
The following information is collected:
- computer name
- CPU information
- list of running processes
- display resolution
- list of disk devices and their type
- list of files/folders on a specific drive
- webcam video/voice
The trojan attempts to send gathered information to a remote machine.
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a URL address. The TCP, HTTP, FTP protocol is used in the communication.
It may perform the following actions:
- execute shell commands
- create files
- delete files
- copy files
- create folders
- delete folders
- set file attributes
- run executable files
- terminate running processes
- download files from a remote computer and/or the Internet
- send files to a remote computer
- set up a proxy server
- manipulate application windows
- open the CD/DVD drive
- show toas message
- shut down/restart the computer
- update itself to a newer version
- send gathered information