Threat Research & Response Blog
We recently noticed a new malware threat that is spreading via email. The email contains a malicious ‘CHM’ (Microsoft Compiled HTML Help) file attachment which displays a document about free speech and media freedom during the Olympics in Chinese and English when opened. We have added detection for this threat and named it ‘Backdoor:Win32/Xinia.B’. You can read more about it in our encyclopedia.
When the CHM file is opened, it will write a malicious file to “c:\windows\downloaded program files\winupdate.exe” and then execute it. It will also write itself to the Windows system32 folder as tlntsvr.exe, and will drop an additional DLL named lottery.dll. The DLL gets injected into explorer.exe in order to hide it when running on the system. We detect the DLL as ‘Backdoor:Win32/Xinia.B.dll’. In order to ensure that the backdoor is not already running, it will register (and check for) a mutex named ‘UTTERRE’.
Once running, it records keystrokes and collects information about the host on which it’s running. All the data that it gathers is then sent to a remote computer on the Internet.
Hong Jia & Tareq Saade