Backdoor.Win32.PcClient_2c42a17c81
Trojan.Crypt.IW (BitDefender), TrojanDownloader:Win32/Dogkild.O (Microsoft), Trojan-Dropper.Win32.Mudrop.aod (Kaspersky), Trojan.Win32.Agent.a (fs) (VIPRE), Trojan.MulDrop.32002 (DrWeb), Trojan.Crypt.IW (B) (Emsisoft), Generic Dropper.jz (McAfee), Suspicious.MH690.A (Symantec), Trojan-Dropper.Win32.Mudrop (Ikarus), Worm/AutoRun.IZ (AVG), Win32:Agent-AFRT [Rtk] (Avast), TROJ_GERAL.SMQ (TrendMicro), Backdoor.Win32.PcClient.FD, GenericAutorunWorm.YR (Lavasoft MAS)
Behaviour: Trojan-Dropper, Trojan-Downloader, Trojan, Backdoor, Worm, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
MD5: 2c42a17c818004580a1ed11003ea639e
SHA1: ccc3e25550fc1c7b144c47b747e9b9fd1e8e5fac
SHA256: 2023a0c370c51981239386a5be99612302e2df9f89e832dab5ade446c4615d15
SSDeep: 12288:xOEFz4KDelgGGnVAAtZMC12BXnh6ya sNzaOvoJpaz/g/J/vVQT:7VKlX8VAAtZp43u sNH8az/g/J/NQ
Size: 1106757 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-06-12 08:27:02
Summary:
Backdoor. Malware that enables a remote control of victim's machine.
Payload
| Behaviour | Description |
|---|---|
| WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Backdoor's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Backdoor creates the following process(es):
taskkill.exe:3116
taskkill.exe:3764
taskkill.exe:3616
sc.exe:136
rundll32.exe:1172
The Backdoor injects its code into the following process(es):
%original file name%.exe:4044
File activity
The process rundll32.exe:1172 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%System%\drivers\acpiec.sys (12672 bytes)
The process %original file name%.exe:4044 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%WinDir%\Driver Cache\i386 (4096 bytes)
%System%\wbem\Repository\FS\OBJECTS.MAP (12288 bytes)
D:\1.exe (1106757 bytes)
%WinDir%\repair (4096 bytes)
%System%\func.dll (36353 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp (4096 bytes)
C:\autorun.inf (21 bytes)
%System%\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE} (4096 bytes)
%WinDir%\LastGood\system32 (4096 bytes)
%System%\drivers\etc\hosts (5743 bytes)
%WinDir% (4096 bytes)
%System%\drivers\pcidump.sys (11905 bytes)
%System%\dllcache (4096 bytes)
%WinDir%\inf (8192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%System%\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE} (4096 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\test.pml (9359360 bytes)
%System%\config (4096 bytes)
%System%\drivers (4096 bytes)
%WinDir%\phpi.dll (45569 bytes)
D:\autorun.inf (21 bytes)
%System%\wbem\Repository\FS\MAPPING1.MAP (28672 bytes)
C:\1.exe (1106757 bytes)
Registry activity
The process taskkill.exe:3116 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BE 05 0F BD FD A9 AC F5 1C F4 0F D9 A2 A8 00 A5"
The process taskkill.exe:3764 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "16 26 54 97 64 50 A2 EA 94 5B 14 9C F9 F7 63 BF"
The process taskkill.exe:3616 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E7 52 73 4F B0 B2 0F 15 56 86 8D 24 7C 6B 93 C9"
The process sc.exe:136 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "65 CB 54 AE 06 0E 01 D4 43 E3 7E 58 35 0B 12 7F"
The process rundll32.exe:1172 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "87 A8 7D 50 4A 86 63 3F BB DB 1B 04 52 F5 D9 52"
Network activity (URLs)
| URL | IP |
|---|---|
| 2a8k.cn |  Unresolvable |
HOSTS file anomalies
The Backdoor modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 5743 bytes in size. The following strings are added to the hosts file listed below:
| 127.0.0.1 | v.onondown.com.cn |
| 127.0.0.2 | ymsdasdw1.cn |
| 127.0.0.3 | h96b.info |
| 127.0.0.0 | fuck.zttwp.cn |
| 127.0.0.0 | www.hackerbf.cn |
| 127.0.0.0 | geekbyfeng.cn |
| 127.0.0.0 | 121.14.101.68 |
| 127.0.0.0 | ppp.etimes888.com |
| 127.0.0.0 | www.bypk.com |
| 127.0.0.0 | CSC3-2004-crl.verisign.com |
| 127.0.0.1 | va9sdhun23.cn |
| 127.0.0.0 | udp.hjob123.com |
| 127.0.0.2 | bnasnd83nd.cn |
| 127.0.0.0 | www.gamehacker.com.cn |
| 127.0.0.0 | gamehacker.com.cn |
| 127.0.0.3 | adlaji.cn |
| 127.0.0.1 | 858656.com |
| 127.1.1.1 | bnasnd83nd.cn |
| 127.0.0.1 | my123.com |
| 127.0.0.0 | user1.12-27.net |
| 127.0.0.1 | 8749.com |
| 127.0.0.0 | fengent.cn |
| 127.0.0.1 | 4199.com |
| 127.0.0.1 | user1.16-22.net |
| 127.0.0.1 | 7379.com |
| 127.0.0.1 | 2be37c5f.3f6e2cc5f0b.com |
| 127.0.0.1 | 7255.com |
| 127.0.0.1 | user1.23-12.net |
| 127.0.0.1 | 3448.com |
| 127.0.0.1 | www.guccia.net |
| 127.0.0.1 | 7939.com |
| 127.0.0.1 | a.o1o1o1.nEt |
| 127.0.0.1 | 8009.com |
| 127.0.0.1 | user1.12-73.cn |
| 127.0.0.1 | piaoxue.com |
| 127.0.0.1 | 3n8nlasd.cn |
| 127.0.0.1 | kzdh.com |
| 127.0.0.0 | www.sony888.cn |
| 127.0.0.1 | about.blank.la |
| 127.0.0.0 | user1.asp-33.cn |
| 127.0.0.1 | 6781.com |
| 127.0.0.0 | www.netkwek.cn |
| 127.0.0.1 | 7322.com |
| 127.0.0.0 | ymsdkad6.cn |
| 127.0.0.0 | www.lkwueir.cn |
| 127.0.0.1 | 06.jacai.com |
| 127.0.1.1 | user1.23-17.net |
| 127.0.0.1 | 1.jopenkk.com |
| 127.0.0.0 | upa.luzhiai.net |
| 127.0.0.1 | 1.jopenqc.com |
| 127.0.0.0 | www.guccia.net |
| 127.0.0.1 | 1.joppnqq.com |
| 127.0.0.0 | 4m9mnlmi.cn |
| 127.0.0.1 | 1.xqhgm.com |
| 127.0.0.0 | mm119mkssd.cn |
| 127.0.0.1 | 100.332233.com |
| 127.0.0.0 | 61.128.171.115:8080 |
| 127.0.0.1 | 121.11.90.79 |
| 127.0.0.0 | www.1119111.com |
| 127.0.0.1 | 121565.net |
| 127.0.0.0 | win.nihao69.cn |
| 127.0.0.1 | 125.90.88.38 |
| 127.0.0.1 | 16888.6to23.com |
| 127.0.0.1 | 2.joppnqq.com |
| 127.0.0.0 | puc.lianxiac.net |
| 127.0.0.1 | 204.177.92.68 |
| 127.0.0.0 | pud.lianxiac.net |
| 127.0.0.1 | 210.74.145.236 |
| 127.0.0.0 | 210.76.0.133 |
| 127.0.0.1 | 219.129.239.220 |
| 127.0.0.0 | 61.166.32.2 |
| 127.0.0.1 | 219.153.40.221 |
| 127.0.0.0 | 218.92.186.27 |
| 127.0.0.1 | 219.153.46.27 |
| 127.0.0.0 | www.fsfsfag.cn |
| 127.0.0.1 | 219.153.52.123 |
| 127.0.0.0 | ovo.ovovov.cn |
| 127.0.0.1 | 221.195.42.71 |
| 127.0.0.0 | dw.com.com |
| 127.0.0.1 | 222.73.218.115 |
| 127.0.0.1 | 203.110.168.233:80 |
| 127.0.0.1 | 3.joppnqq.com |
| 127.0.0.1 | 203.110.168.221:80 |
| 127.0.0.1 | 363xx.com |
| 127.0.0.1 | www1.ip10086.com.cm |
| 127.0.0.1 | 4199.com |
| 127.0.0.1 | blog.ip10086.com.cn |
| 127.0.0.1 | 43242.com |
| 127.0.0.1 | www.ccji68.cn |
| 127.0.0.1 | 5.xqhgm.com |
| 127.0.0.0 | t.myblank.cn |
| 127.0.0.1 | 520.mm5208.com |
| 127.0.0.0 | x.myblank.cn |
| 127.0.0.1 | 59.34.131.54 |
| 127.0.0.1 | 210.51.45.5 |
| 127.0.0.1 | 59.34.198.228 |
| 127.0.0.1 | www.ew1q.cn |
| 127.0.0.1 | 59.34.198.88 |
| 127.0.0.1 | 59.34.198.97 |
| 127.0.0.1 | 60.190.114.101 |
| 127.0.0.1 | 60.190.218.34 |
| 127.0.0.0 | qq-xing.com.cn |
| 127.0.0.1 | 60.191.124.252 |
| 127.0.0.1 | 61.145.117.212 |
| 127.0.0.1 | 61.157.109.222 |
| 127.0.0.1 | 75.126.3.216 |
| 127.0.0.1 | 75.126.3.217 |
| 127.0.0.1 | 75.126.3.218 |
| 127.0.0.0 | 59.125.231.177:17777 |
| 127.0.0.1 | 75.126.3.220 |
| 127.0.0.1 | 75.126.3.221 |
| 127.0.0.1 | 75.126.3.222 |
| 127.0.0.1 | 772630.com |
| 127.0.0.1 | 832823.cn |
| 127.0.0.1 | 8749.com |
| 127.0.0.1 | 888.jopenqc.com |
| 127.0.0.1 | 89382.cn |
| 127.0.0.1 | 8v8.biz |
| 127.0.0.1 | 97725.com |
| 127.0.0.1 | 9gg.biz |
| 127.0.0.1 | www.9000music.com |
| 127.0.0.1 | test.591jx.com |
| 127.0.0.1 | a.topxxxx.cn |
| 127.0.0.1 | picon.chinaren.com |
| 127.0.0.1 | www.5566.net |
| 127.0.0.1 | p.qqkx.com |
| 127.0.0.1 | news.netandtv.com |
| 127.0.0.1 | z.neter888.cn |
| 127.0.0.1 | b.myblank.cn |
| 127.0.0.1 | wvw.wokutu.com |
| 127.0.0.1 | unionch.qyule.com |
| 127.0.0.1 | www.qyule.com |
| 127.0.0.1 | it.itjc.cn |
| 127.0.0.1 | www.linkwww.com |
| 127.0.0.1 | vod.kaicn.com |
| 127.0.0.1 | www.tx8688.com |
| 127.0.0.1 | b.neter888.cn |
| 127.0.0.1 | promote.huanqiu.com |
| 127.0.0.1 | www.huanqiu.com |
| 127.0.0.1 | www.haokanla.com |
| 127.0.0.1 | play.unionsky.cn |
| 127.0.0.1 | www.52v.com |
| 127.0.0.1 | www.gghka.cn |
| 127.0.0.1 | icon.ajiang.net |
| 127.0.0.1 | new.ete.cn |
| 127.0.0.1 | www.stiae.cn |
| 127.0.0.1 | o.neter888.cn |
| 127.0.0.1 | comm.jinti.com |
| 127.0.0.1 | www.google-analytics.com |
| 127.0.0.1 | hz.mmstat.com |
| 127.0.0.1 | www.game175.cn |
| 127.0.0.1 | x.neter888.cn |
| 127.0.0.1 | z.neter888.cn |
| 127.0.0.1 | p.etimes888.com |
| 127.0.0.1 | hx.etimes888.com |
| 127.0.0.1 | abc.qqkx.com |
| 127.0.0.1 | dm.popdm.cn |
| 127.0.0.1 | www.yl9999.com |
| 127.0.0.1 | www.dajiadoushe.cn |
| 127.0.0.1 | v.onondown.com.cn |
| 127.0.0.1 | www.interoo.net |
| 127.0.0.1 | bally1.bally-bally.net |
| 127.0.0.1 | www.bao5605509.cn |
| 127.0.0.1 | www.rty456.cn |
| 127.0.0.1 | www.werqwer.cn |
| 127.0.0.1 | 1.360-1.cn |
| 127.0.0.1 | user1.23-16.net |
| 127.0.0.1 | www.guccia.net |
| 127.0.0.1 | www.interoo.net |
| 127.0.0.1 | upa.netsool.net |
| 127.0.0.1 | js.users.51.la |
| 127.0.0.1 | vip2.51.la |
| 127.0.0.1 | web.51.la |
| 127.0.0.1 | qq.gong2008.com |
| 127.0.0.1 | 2008tl.copyip.com |
| 127.0.0.1 | tla.laozihuolaile.cn |
| 127.0.0.1 | www.tx6868.cn |
| 127.0.0.1 | p001.tiloaiai.com |
| 127.0.0.1 | s1.tl8tl.com |
| 127.0.0.1 | s1.gong2008.com |
| 127.0.0.1 | 4b3ce56f9g.3f6e2cc5f0b.com |
Rootkit activity
The Backdoor installs the following kernel-mode hooks:
ZwQuerySystemInformation
The Backdoor substitutes IRP handlers in a file system driver (FastFAT) to control operations with files:
MJ_CREATE
The Backdoor substitutes IRP handlers in a file system driver (NTFS) to control operations with files:
MJ_CREATE
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Backdoor's file once a user opens a drive's folder in Windows Explorer.
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
taskkill.exe:3116
taskkill.exe:3764
taskkill.exe:3616
sc.exe:136
rundll32.exe:1172 - Delete the original Backdoor file.
- Delete or disinfect the following files created/modified by the Backdoor:
%System%\drivers\acpiec.sys (12672 bytes)
%WinDir%\Driver Cache\i386 (4096 bytes)
%System%\wbem\Repository\FS\OBJECTS.MAP (12288 bytes)
D:\1.exe (1106757 bytes)
%WinDir%\repair (4096 bytes)
%System%\func.dll (36353 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp (4096 bytes)
C:\autorun.inf (21 bytes)
%System%\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE} (4096 bytes)
%WinDir%\LastGood\system32 (4096 bytes)
%System%\drivers\etc\hosts (5743 bytes)
%System%\drivers\pcidump.sys (11905 bytes)
%System%\dllcache (4096 bytes)
%WinDir%\inf (8192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%System%\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE} (4096 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\test.pml (9359360 bytes)
%System%\config (4096 bytes)
%WinDir%\phpi.dll (45569 bytes)
D:\autorun.inf (21 bytes)
%System%\wbem\Repository\FS\MAPPING1.MAP (28672 bytes)
C:\1.exe (1106757 bytes) - Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
127.0.0.1 localhost - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
