Win32/Xorasi [Threat Name] go to Threat

Win32/Xorasi.A [Threat Variant Name]

Category trojan
Size 1556992 B
Short description

The trojan serves as a backdoor. It can be controlled remotely.


When executed, the trojan creates the following files:

  • %commonappdata%\­Adobe\­Taskil\­taskil.exe (379904 B, Win32/Xorasi.A)
  • %system%\­timeout.exe (28672 B)
  • %system%\­unrar.exe (266240 B)
  • %system%\­wget.exe (401408 B)
  • %system%\­winnet.exe (412672 B, Win32/Xorasi.A)

The trojan schedules a task that causes the following file to be executed repeatedly:

  • %system%\­winnet.exe
  • %commonappdata%\­Adobe\­Taskil\­taskil.exe

This causes the trojan to be executed on every system start.

After the installation is complete, the trojan deletes the original executable file.

Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (3) URLs. The HTTP protocol is used.

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • execute shell commands
  • open a specific URL address
  • uninstall itself
  • update itself to a newer version
  • change the home page of web browser

The trojan changes the home page of the following web browsers:

  • Internet Explorer
  • Mozilla Firefox
  • Google Chrome

The trojan keeps various information in the following Registry keys:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Update]
  • [HKEY_CURRENT_USER\­Software\­Google\­Chrome\­Browser]

Please enable Javascript to ensure correct displaying of this content and refresh this page.