Backdoor.Win32.PcClient_18f1316d05
Trojan.Win32.Qhost.it (Kaspersky), Trojan-Dropper.Win32.SpamThru.np (v) (VIPRE), Trojan.Spambot.BXD!IK (Emsisoft), Backdoor.Win32.PcClient.FD (Lavasoft MAS)
Behaviour: Trojan-Dropper, Trojan, Backdoor
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
MD5: 18f1316d05f75451827d19001b1565d9
SHA1: 81b0f7a1656cc6962d784ce77fedb6f461fd8ffc
SHA256: 3091e105470cf08e5bc023131ece36d04fd5020f4475e1b43c53b4087047f3a1
SSDeep: 6144:7wiuXt5hC5xLKh6jkCUPj1J6a6azswSlJfG4:7wfXtWLY6jkCUPjXznSJO
Size: 212992 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: Armadillov171, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, UPolyXv05_v6
Company: no certificate found
Created at: 2007-08-11 09:00:44
Analyzed on: WindowsXP SP3 32-bit
Summary:
Backdoor. Malware that enables a remote control of victim's machine.
Payload
No specific payload has been found.
Process activity
The Backdoor creates the following process(es):
%original file name%.exe:1276
The Backdoor injects its code into the following process(es):
rundll32.exe:220
File activity
The process rundll32.exe:220 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%System%\drivers\etc\hosts (25 bytes)
The process %original file name%.exe:1276 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%System%\ffgpewn.dll (169 bytes)
Registry activity
The process rundll32.exe:220 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "51 72 A8 66 5A AE 6E BF 90 0E 80 53 C0 95 DA 73"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKCR\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304B20509}\InProcServer32]
"(Default)" = "%System%\ffgpewn.dll"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"ControlFlags" = "1"
[HKCR\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304B20509}\InProcServer32]
"ThreadingModel" = "Apartment"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"DCOM Server 20509" = "{2C1CD3D7-86AC-4068-93BC-A02304B20509}"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{2C1CD3D7-86AC-4068-93BC-A02304B20509}" = "DCOM Server 20509"
The Backdoor deletes the following value(s) in system registry:
The Backdoor disables automatic startup of the application by deleting the following autorun value:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"DCOM Server"
Network activity (URLs)
No activity has been detected.
HOSTS file anomalies
The Backdoor modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 1698 bytes in size. The following strings are added to the hosts file listed below:
| 127.0.0.1 | www.trendmicro.com |
| 127.0.0.1 | rads.mcafee.com |
| 127.0.0.1 | customer.symantec.com |
| 127.0.0.1 | liveupdate.symantec.com |
| 127.0.0.1 | us.mcafee.com |
| 127.0.0.1 | updates.symantec.com |
| 127.0.0.1 | www.nai.com |
| 127.0.0.1 | secure.nai.com |
| 127.0.0.1 | dispatch.mcafee.com |
| 127.0.0.1 | download.mcafee.com |
| 127.0.0.1 | www.my-etrust.com |
| 127.0.0.1 | mast.mcafee.com |
| 127.0.0.1 | ca.com |
| 127.0.0.1 | www.ca.com |
| 127.0.0.1 | networkassociates.com |
| 127.0.0.1 | www.networkassociates.com |
| 127.0.0.1 | avp.com |
| 127.0.0.1 | www.kaspersky.com |
| 127.0.0.1 | www.avp.com |
| 127.0.0.1 | downloads4.kaspersky-labs.com |
| 127.0.0.1 | downloads3.kaspersky-labs.com |
| 127.0.0.1 | downloads2.kaspersky-labs.com |
| 127.0.0.1 | downloads1.kaspersky-labs.com |
| 127.0.0.1 | www.f-secure.com |
| 127.0.0.1 | viruslist.com |
| 127.0.0.1 | www.viruslist.com |
| 127.0.0.1 | liveupdate.symantecliveupdate.com |
| 127.0.0.1 | www.mcafee.com |
| 127.0.0.1 | sophos.com |
| 127.0.0.1 | www.sophos.com |
| 127.0.0.1 | securityresponse.symantec.com |
| 127.0.0.1 | www.symantec.com |
Rootkit activity
No anomalies have been detected.
Propagation
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:1276
- Delete the original Backdoor file.
- Delete or disinfect the following files created/modified by the Backdoor:
%System%\drivers\etc\hosts (25 bytes)
%System%\ffgpewn.dll (169 bytes) - Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
127.0.0.1 localhost - Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
