My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets



Added to the Dr.Web virus database: 2019-09-18

Virus description added:

Packer: absent

Compilation date: 08:48:05 27.07.2010

SHA1 hash:

  • 3e1d66ea09b7c4dbe3c6ffe58262713806564c17 (svchost.exe)


Trojan.XPath.1 is an installer for the multi-functional XPath backdoor. It operates on both 32-bit and 64-bit Microsoft Windows operating systems. The payload is extracted by installing the driver or by utilizing COM Hijacking.

Operating routine

Using the 5-byte magic number, the installer checks whether the configuration embedded in it has encryption. The configuration is then used for the payload functioning. If there is no encryption, the program shuts down.

After that, the malware receives information about the OS version, UAC settings and checks whether the user has administrative privileges. A string is formed from obtained data:


Then, the program outputs it via the OutputDebugStringA function.

Next, the trojan attempts to install its driver. In case of failure, an attempt is made to install the module using COM Hijacking.

After that, the program deletes its file from the disk and terminates its process.

Driver installation

It deletes the yyyyyyyyGoogle.sys file from the %WINDIR%\\tracing\\ directory. It extracts the desired driver version from its body, depending on the system architecture bit widths, and saves it to the specified path. Drivers are stored in the sample being compressed via the APLib library and are additionally encrypted by an algorithm based on the XOR operation with a single-byte key.

It then stores its payload in the registry as three modules. It uses [HKLM\\SOFTWARE\\Microsoft\\LoginInfo] as its working registry branch. It creates keys in it and saves the payload there:

  • Video — configuration;
  • DirectShow — XPath module;
  • DirectDraw — PayloadDll module.

The modules are hardcoded in the trojan’s body in a similar form to the driver (using APLib and XOR) and are present in two versions — for both 32-bit and 64-bit systems. Each module uses its own single-byte key. The modules are saved as a structure:

#pragma pack(push,1)
struct mod
  _DWORD compressed_size;
  _DWORD decompressed_size;
  _BYTE data[compressed_size];
#pragma pack(pop)

The data module is decoded, but remains compressed.

The program then attempts to create a service with autorun and ImagePath to the extracted driver. The driver file name is used as the service name.

If the service cannot be launched via SCManager and the service has already been created, an attempt is made to start the driver via ZwLoadDriver.

To check if the driver is working, the malware attempts to open the \\.\BaiduHips device. In case of failure, a second attempt is made after 100 milliseconds. A total of 15 attempts are made, after which the driver installation is considered incomplete.

If the driver is running, it sequentially starts the %WINDIR%\\System32\\ping.exe], [%WINDIR%\\System32\\rundll32.exe, %WINDIR%\\System32\\svchost.exe] and [%WINDIR%\\System32\\lsass.exe processes.

COM Hijacking

The program saves its modules in the registry the same way as when installing the driver, but this time using [HKCU\\SOFTWARE\\Microsoft\\LoginInfo] as the home branch.

It iterates through the registry keys in the HKU section and searches for a key with a name containing the S-1-5-21- substring and does not contain the _Classes substring. Inside this key, it creates the Software\\Classes\\CLSID\\{ECD4FC4D-521C-11D0-B792-00A0C90312E1}\\ key for Windows 2000, Windows XP, Windows Server 2003, and the Software\\Classes\\CLSID\\{B12AE898-D056-4378-A844-6D393FE37956}\\ key for Windows Vista or later. For this key it sets the %TMP%\\Microsoft\\ReplaceDll.dll path as the parameter value (by default). It also creates the ThreadingModel parameter with the Apartment value.

After that, it unpacks the PayloadDll module into the %TMP%\\Microsoft\\ReplaceDll.dll directory.


Trojan.XPath.1 file contains leftover debugging information that reveals the paths and source code file names:


The original function names are:


The file also contains various debugging messages:

start TRUE:%s,%d\n
    pOpenSCManager false:%s,%d\n
    ZwLoadDriver false1 :%s,%d,%d\n
    ZwLoadDriver false2 :%s,%d,%d\n
    ZwLoadDriver false3 :%s,%d,%d\n
    ZwLoadDriver false1 :%x\n
    ZwLoadDriver ok : %x\n
   ZwLoadDriver false: %x
    setinfo false:%s,%d겣%d\n
   install all failed\n
    can not pCreateFile,inst failed :%s,%d\n

The setinfo false string is the most interesting. It contains the 0xACA3 sybmol, which in Unicode corresponds to the "겣" hieroglyph. This hieroglyph is used in South and North Korean writing.

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android

© Doctor Web
2003 — 2022

Doctor Web is a cybersecurity company focused on threat detection, prevention and response technologies