1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: W32.Extrat RAT Activity 2

System Infected: W32.Extrat RAT Activity 2

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signautre detects W32.Extrat trojan activity on infected system.

Additional Information

The worm is related to the following remote access tools (RATs):
Xtreme RAT
Spy-Net RAT
When the worm is executed, it creates the following file:
%Windir%\installdir\server.exe

The worm opens a back door on the compromised computer, allowing an attacker to perform the following actions:

Access files
Steal stored passwords
Issue commands
Activate and view a webcam
Record keystrokes
Create an HTTP proxy
Connect to a control server on TCP

The worm may inject itself into iexplore.exe, or any customizable process.

Affected

  • Various versions of Windows
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube