后门。XTRat

简短的个人介绍

后门。XTRatis a Remote Access Trojan (RAT) application that may run in the background and silently collect information about the system, connected users, and network activity. Backdoor.XTRat may attempt to steal stored credentials, usernames and passwords and other personal and confidential information. This information may be transmitted to a destination specified by the author. Backdoor.XTRat may allow an attacker to install additional software to the infected machine, or may direct the infected machine to participate in a malicious botnet for the purposes of sending spam or other malicious activities.

症状

后门。XTRatmay run silently in the background and may not provide any indication of infection to the user. Backdoor.XTRat may also disable Antivirus programs and other Microsoft Windows security features.

感染类型及来源

后门。XTRatmay be distributed using various methods. This software may be packaged with free online software, or could be disguised as a harmless program and distributed by email. Alternatively, this software may be installed by websites using software vulnerabilities. Infections that occur in this manner are usually silent and happen without user knowledge or consent.

保护

必威平台APPMalwarebytes保护用户不安装后门。XTRat

必威平台APP恶意软件字节检测和删除后门。XTRat

修复

必威平台APP恶意软件可以检测和删除许多后门。XTRatinfections without further user interaction.

1. 请下载伪必威平台APP你的桌面。
2. 双击MBSetup.exe然后按照提示安装程序。
3. 当你的必威平台APP伪的窗户安装完成后，程序打开到欢迎Malwarebytes屏幕。必威平台APP
4. 点击开始按钮。
5. 点击扫描开始威胁扫描．
6. 点击检疫移除发现的威胁。
7. 如果提示完成删除过程，请重新启动系统。

必威平台APP伪删除日志

Ma必威平台APPlwarebytes的删除日志如下所示:

必威平台APP

www.必威平台APPmalwarebytes.com

日志详细信息- - - - - -

扫描日期:3/23/18

扫描时间:凌晨1:03

日志文件:47 faa719-2e68-11e8-8b80-00ffc8517b86.json

管理员:是的

软件信息,

版本:3.4.4.2398

组件版本:1.0.322

更新包版本:1.0.4456

许可:保险费

系统信息,

操作系统:Windows 7 Service Pack

CPU: x64

文件系统:NTFS

用户:DE-WIN7 \ Fwiplayer

扫描总结- - - - - -

扫描类型:威胁扫描

结果:完成

扫描对象:297935

威胁检测:24

威胁隔离:24

时间:3分3秒

扫描选项-

记忆:启用

启动:启用

文件系统:启用

档案:启用

rootkit:禁用

启发式:启用

小狗:检测

泵:检测

扫描的详细信息-

过程:0

(未检测到恶意软件)

模块:0

(未检测到恶意软件)

注册码:4

Backdoor.HMCPol。Gen, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{5D6J2PL7-665M-030P-4SMQ-7L1F1X7AS68U}，隔离，[11996]，[215597]，1.0.4456

Backdoor.HMCPol。Gen, HKU\S-1-5-21-2165681608-3755637219-621560601-1000\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{5D6J2PL7-665M-030P-4SMQ-7L1F1X7AS68U}，已隔离，[11996]，[215597]，1.0.4456

后门。Agent, HKU\S-1-5-21-2165681608-3755637219-621560601-1000\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{5460C4DF-B266-909E-CB58-E32B79832EB2}，隔离，[85]，[163598]，1.0.4456

后门。Agent, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{5460C4DF-B266-909E-CB58-E32B79832EB2}，隔离，[85]，[163598]，1.0.4456

注册表值:4

Backdoor.HMCPol。Gen, HKU\S-1-5-21-2165681608-3755637219-621560601-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|HKCU，已隔离，[11996]，[215597]，1.0.4456

Backdoor.HMCPol。Gen, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|HKLM，隔离，[11996]，[215597]，1.0.4456

PUM.Optional。UserWLoad, HKU\S-1-5-21-2165681608-3755637219-621560601-1000\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS|LOAD，隔离，[13268]，[251591]，1.0.4456

Backdoor.Agent。HKIGen, HKU\S-1-5-21-2165681608-3755637219-621560601-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|HKCU，已隔离的，[11625]，[189233]，1.0.4456

注册表数据:1

后门。XTRat, HKU\S-1-5-21-2165681608-3755637219-621560601-1000\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS|Load, Replaced, [621], [483292],1.0.4456

数据流:0

(未检测到恶意软件)

文件夹:0

(未检测到恶意软件)

文件:15

Trojan.Agent.TMP, C:\USERS\FWIPLAYER\APPDATA\ROAMING\TMP.EXE，已隔离，[3019]，[232273]，1.0.4456

Backdoor.SpyNet。跟踪，C:\USERS\FWIPLAYER\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\iJune22.lnk，已隔离，[697]，[306250]，1.0.4456

Backdoor.NanoCore.Trace。通用的,C: \ \ FWIPLAYER \ APPDATA \漫游用户\微软\ WINDOWS \开始菜单启动\程序\ \ m095usKzjL.eu。url，隔离的，[8678]，[256248]，1.0.4456

Backdoor.HMCPol。\ windows \ installdir\ SERVER.EXE，删除-重启，[11996]，[215597]，1.0.4456

后门。XTRat, C:\USERS\FWIPLAYER\APPDATA\LOCAL\TEMP\System32\Chrome.exe.lnk, Quarantined, [621], [483292],1.0.4456

后门。XTRat, C:\USERS\FWIPLAYER\APPDATA\LOCAL\TEMP\SYSTEM32\CHROME.EXE, Quarantined, [621], [483292],1.0.4456

后门。代理，C:\USERS\FWIPLAYER\APPDATA\ROAMING\SYSTEM32\CHROME.EXE，已隔离，[85]，[163598]，1.0.4456

后门。XTRat, C:\USERS\FWIPLAYER\DESKTOP\XTRAT3.TXT.EXE, Quarantined, [621], [25406],1.0.4456

后门。XTRat, C:\USERS\FWIPLAYER\APPDATA\ROAMING\M095USKZJL\M095USKZJL.SCR, Quarantined, [621], [483306],1.0.4456

后门。XTRat, C:\USERS\FWIPLAYER\DESKTOP\XTRAT.EXE, Quarantined, [621], [494259],1.0.4456

后门。XTRat, C:\USERS\FWIPLAYER\DESKTOP\XTRAT2.EXE, Quarantined, [621], [483306],1.0.4456

后门。XTRat, C:\USERS\FWIPLAYER\APPDATA\LOCAL\TEMP\IJUNE22.EXE, Quarantined, [621], [25406],1.0.4456

后门。XTRat, C:\USERS\FWIPLAYER\APPDATA\ROAMING\Microsoft\Windows\Recent\xtrat3.txt.lnk, Quarantined, [621], [25406],1.0.4456

后门。XTRat, D:\MALWARE_SAMPLES_WRITEUP_PROJECT\XTRAT3.TXT.EXE, Quarantined, [621], [25406],1.0.4456

物理扇区:0

(未检测到恶意软件)

(结束)

跟踪/国际石油公司

您可能会在FRST日志中看到这些条目:

() C:\Windows\InstallDir\Server.exe

[{FFBD928C-671A-470E-BD37-B4AA2D008DBF}] => (Allow) C:\Users\Fwiplayer\AppData\Local\Temp\windows.exe

[{DB40A1AF-FBB5-4F44-BC54-8767DF3F1E25}] => (Allow) C:\Users\Fwiplayer\AppData\Local\Temp\windows.exe

[{17C551F6-2EB6-4100-AA39-6267792D69E5}] => (Allow) C:\Users\Fwiplayer\AppData\Local\Temp\server.exe

[{2208C458-DEF4-4178-BC1F-79730E807115}] => (Allow) C:\Users\Fwiplayer\AppData\Local\Temp\server.exe

\ \运行:[HKCU] => C:\Users\Fwiplayer\AppData\Local\Temp\System32\Chrome.exe[952832 2018-03-23]() <====注意

\ \CurrentVersion\Windows: [Load] C:\Users\FWIPLA~1\AppData\Local\Temp\System32\Chrome.exe.lnk <====注意

GroupPolicy\User:限制<====注意

相关文件:

Chrome.exe、Firefox.exe server。exe, svchost.exe