My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets



Added to the Dr.Web virus database: 2019-09-18

Virus description added:

Packer: absent

Compilation dates:

  • 11:22:57 16.11.2017 (x86 version)
  • 11:22:54 16.11.2017 (x64 version)

SHA1 hashes:

  • b6fba9877ad79ce864d75b91677156a33a59399e (x86)
  • 8cc16ad99b40ff76ae68d7b3284568521e6413d9 (x64)


Trojan.XPath.2 is a driver for the multi-function XPath backdoor. It has two versions for both 32-bit and 64-bit Microsoft Windows operating systems. The component is designed to inject the payload loader into the lsass.exe process, as well as for traffic filtering.

Operating routine

Trojan.XPath.1 serves as a loader for the driver.

Operating in Windows starting from Vista or higher is based on the source code of the WinDivert 1.1 (30.06.2013) - 1.2 (17.07.2015).

Operating in Windows starting from Windows 2000 up to Vista is based on the source code of the WinPcap.

Drivers have the following digital signatures:

CN = Anhua Xinda (Beijing) Technology Co., Ltd.
OU = Digital ID Class 3 - Microsoft Software Validation v2
O = Anhua Xinda (Beijing) Technology Co., Ltd.
L = Beijing
S = Beijing
C = CN
CN = 长沙马沙电子科技有限公司
O = 长沙马沙电子科技有限公司
L = 长沙市
S = 湖南省
C = CN

The trojan obtains the addresses of the necessary functions from a NDIS.SYS file:


It then checks which of the available modules — hal.dll, halmacpi.dll or halacpi.dll — was loaded, and gets the addresses of several functions from it:


Next, it checks if the ntdll.dll module is loaded. If it is not loaded, Trojan.XPath.2 independently maps the file into the memory, and gets the addresses of the necessary functions:


Then trojan creates the device \\Device\\test1 and the symbolic link \\DosDevices\\test1.

Via PsSetCreateProcessNotifyRoutine it sets a callback function in which it tracks the lsass.exe process creation. As soon as this process is started, the trojan reads the loader module (Trojan.XPath.3) from the registry [\\registry\\machine\\SOFTWARE\\Microsoft\\LoginInfo] 'DirectDraw'. Then it unpacks it and injects it into the lsass.exe. In the 64-bit version of the driver, code is injected via the PsSetLoadImageNotifyRoutine function.

The program waits until it can open \\Systemroot\\explorer.exe, then via IoCreateDriver it creates the \\FileSystem\\FsBaiduHips driver.

It records the following values in the registry:

  • [\\Registry\\Machine\\System\\CurrentControlSet\\Services\\yyyyyyyyGoogle] 'Group' = "Boot Bus Extender";
  • [\\Registry\\Machine\\System\\CurrentControlSet\\Services\\yyyyyyyyGoogle] 'DependOnService' = "FltMgr";
  • [\\Registry\\Machine\\System\\CurrentControlSet\\Services\\yyyyyyyyGoogle\\Instances] 'DefaultInstance' = 'yyyyyyyyGoogle Instance';
  • [\\Registry\\Machine\\System\\CurrentControlSet\\Services\\yyyyyyyyGoogle\\Instances\\yyyyyyyyGoogle Instance] 'Altitude' = '399999';
  • [\\Registry\\Machine\\System\\CurrentControlSet\\Services\\yyyyyyyyGoogle\\Instances\\yyyyyyyyGoogle Instance] 'Flags' = '00000000'.

Then it attempts to register as a minifilter. If the FltRegisterFilter function returns the STATUS_FLT_INSTANCE_ALTITUDE_COLLISION error, the program reduces the value of Altitude by one, and then retries.

When registering as the minifilter, the PreOperation callback function is set for IRP_MJ_CREATE:


For IRP_MJ_QUERY_INFORMATION a callback function is set:


For IRP_MJ_DIRECTORY_CONTROL, both the PreOperation and PostOperation callback functions are set. These four functions are used to conceal the driver file.

The trojan then creates the device \\Device\\BaiduHips and the symbolic link \\DosDevices\\BaiduHips.

Further behavior depends on the infected computer’s OS version.

BaiduHips (Windows 2000, Windows XP, Windows Server 2003)

The program registers the BaiduHips NDIS protocol.

To perform the firewall functionality, the driver intercepts the SendHandler, ReceiveHandler, ReceivePacketHandler, and OpenAdapterCompleteHandler functions:


Hooks are inserted only after receiving the IOCTL code 0x80000800. After that, the program starts filtering traffic (see below).

BaiduHips (Windows Vista, Windows Server 2008 or higher)

It creates a WDF driver, and passes [\\Registry\\Machine\\System\\CurrentControlSet\\Services\\BaiduHips] as the service path.

Further initialization is similar to the standard initialization of the WinDivert driver. The trojan tracks traffic transmitted over IPv4.

The most important difference from the standard WinDivert is the windivert_filter function, which filters packets (see below).


The second (in addition to payload launch) main function of the driver is to filter traffic. The firewall filters TCP/UDP packets transmitted over IPv4.

The rules are defined as structures:

#pragma pack(push, 1)
struct st_fw_add_tcp
  _WORD protocol;
  _DWORD pid;
  _BYTE src_mac[6];
  _BYTE dst_mac[6];
  _DWORD ack;
  _DWORD sn;
  _DWORD src_ip;
  _DWORD dst_ip;
  _WORD src_port;
  _WORD dst_port;
#pragma pack(pop)

The src_mac, dst_mac, ack, and sn fields are optional. It should be noted that depending on the packet direction, the fields are compared accordingly. In other words, to transmit a packet in both directions between two devices, a single rule is sufficient, where the recipient is the computer that runs this rootkit.

There are two ways to add firewall rules:

  • via the corresponding IOCTL code
  • by sending specially generated packets over the TCP Protocol

Special packet №1

This is a TCP packet with the following parameters:

  • The AckNum value is set to 0x87ED5409;
  • The SeqNum value is set to 0x1243FDEC;
  • RST flag is set.

When such a packet is received, a rule is added to the firewall that allows traffic to pass from the sender's IP address and the src_port + 1 port to the specified destination and in the opposite direction.

Special packet №2

This TCP packet size must be 32 bytes. The first 4 bytes are the key for decrypting the rest of the data. Decryption function:


Next, bytes from 4 up to 12 are compared with the 1I2#aLeb string. If a match occurs, a rule is added to the firewall that allows traffic flow from the sender's IP address and port.

It is worth noting that the TCP Handshake process is not performed and flags are ignored. Only the size of the data and the data itself matter.

IOCTL codes

The trojan’s IOCTL codes:

  • 0x80000800 — to insert hooks on network functions (only available on Windows versions up to Windows Vista)
  • 0x80000815 — to add a firewall rule for the TCP Protocol;
  • 0x80000819 —to delete a firewall rule for the TCP Protocol;
  • 0x8000081D —to add a firewall rule for the UDP Protocol;
  • 0x80000821 —to delete a firewall rule for the UDP Protocol;
  • 0x80001005 —to set the value of two variables (not used).

IOCTL codes from WinDivert (available only for OS versions starting from Vista and higher):

  • 0x80002422 — to receive a diverted packet;
  • 0x80002425 — to send a packet;
  • 0x80002429 — to start filtering;
  • 0x8000242D — to set the level;
  • 0x80002431 — to set the priority;
  • 0x80002435 — to set the flags;
  • 0x80002439 —to set the parameter;
  • 0x8000243E — to receive the parameter’s value.


In addition to project files path disclosed in PDB:


The code contains the names of specific files with the trojan’s source codes:


There are also various debugging messages:

out of memory2
out of memory3
out of memory4
del tcp pid:%d,%d,%d\n
size not match:%d,%d\n
get:%wZ mac:%02x-%02x-%02x-%02x-%02x-%02x
test my tcp packet,eth len:%d,%d-->%d\n
init drv :%d,%d\n
init drv :%x\n
\C:\InjectIntoProcess crash
\C:\NewProcess crash
\C:\ProcessGone crash
\C:\ProcessCallback crash
\C:\InitDriver crash

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android

© Doctor Web
2003 — 2023

Doctor Web is a cybersecurity company focused on threat detection, prevention and response technologies