Trojan-Downloader.Win32.Xanda.a Description

Trojan-Downloader.Win32.Xanda.a contains malicious software that it drops and installs onto a victim’s computer. Trojan-Downloader.Win32.Xanda.a may download a backdoor onto a compromised PC, giving remote attackers access to the system. Trojan-Downloader.Win32.Xanda.a may also surreptitiously turn a compromised PC into a bot that is used for other malicious activities. Trojan-Downloader.Win32.Xanda.a is a security threat that must be removed.

Type: Trojans

Aliases: Mal/Emogen-H, Mal/Emogen-F (Sophos), TrojanDropper:Win32/Gontu.B (Microsoft), Trojan-Dropper.Win32.Gontu (Ikarus).

How Can You Detect Trojan-Downloader.Win32.Xanda.a?

Trojan-Downloader.Win32.Xanda.a Technical Report

As new Trojan-Downloader.Win32.Xanda.a details are reported by our customers and findings from our Threat Research Center, we will update this section.

Trojan-Downloader.Win32.Xanda.a’s Country of Origin:

• China

Trojan-Downloader.Win32.Xanda.a has typically the following processes in memory:

• %System%\SoundPC32.exe
• %System%\SoundPC32.dll

Trojan-Downloader.Win32.Xanda.a creates the following registry entries:

• [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3AC4BF88-8BEB-4B87-AFBC-D090AB40B812}\TypeLib]
• (Default) = “BrowserHelper.CBrowserHelper”
• [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3AC4BF88-8BEB-4B87-AFBC-D090AB40B812}]
• [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{82AF841B-4CBA-4F0D-87D9-39B38B317EF6}\ProxyStubClsid32]
• [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{82AF841B-4CBA-4F0D-87D9-39B38B317EF6}]
• [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{A6E321E0-D1CC-4D57-8486-D9672D068B67}\1.0\HELPDIR]
• (Default) = “0″
• [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BrowserHelper.CBrowserHelper\Clsid]
• [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
• (Default) = “1.0″
• [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3AC4BF88-8BEB-4B87-AFBC-D090AB40B812}\ProgID]
• (Default) = “%System%\SoundPC32.dll”
• Version = “1.0″
• [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{82AF841B-4CBA-4F0D-87D9-39B38B317EF6}\ProxyStubClsid]
• [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{A6E321E0-D1CC-4D57-8486-D9672D068B67}\1.0\0\win32]
• [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{A6E321E0-D1CC-4D57-8486-D9672D068B67}\1.0\FLAGS]
• (Default) = “BrowserHelper”
• [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BrowserHelper.CBrowserHelper]
• [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3AC4BF88-8BEB-4B87-AFBC-D090AB40B812}\VERSION]
• (Default) = “{A6E321E0-D1CC-4D57-8486-D9672D068B67}”
• [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3AC4BF88-8BEB-4B87-AFBC-D090AB40B812}\InprocServer32]
• [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{82AF841B-4CBA-4F0D-87D9-39B38B317EF6}\TypeLib]
• (Default) = “{00020424-0000-0000-C000-000000000046}”
• (Default) = “CBrowserHelper”
• (Default) = “%Windir%\system32″
• [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{A6E321E0-D1CC-4D57-8486-D9672D068B67}\1.0]
• (Default) = “{3AC4BF88-8BEB-4B87-AFBC-D090AB40B812}”

Important Article Disclaimer