Win32/Xorasi [Threat Name] go to Threat
Win32/Xorasi.H [Threat Variant Name]
|Detection created||May 20, 2015|
|Signature database version||11656|
The trojan serves as a backdoor. It can be controlled remotely. The trojan is usually a part of other malware.
The trojan does not create any copies of itself.
The following Registry entries are created:
- "Date" = %number%
- "CurDate" = %number%
- "StepDay" = %number%
A variable numerical value is used instead of %number% .
The trojan collects the following information:
- volume serial number
- operating system version
The trojan attempts to send gathered information to a remote machine.
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a URL address. The HTTP protocol is used in the communication.
It may perform the following actions:
- download files from a remote computer and/or the Internet
- run executable files
- execute shell commands
- send gathered information
- uninstall itself
The trojan may create the following files in the %temp% folder:
A string with variable content is used instead of %variable% .