Backdoor.Win32.PcClient_63ed7ac86f
Gen:Heur.MSIL.Krypt.2 (BitDefender), HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.PWS.Siggen.45360 (DrWeb), Gen:Heur.MSIL.Krypt.2 (B) (Emsisoft), Trojan-Dropper.Small (Ikarus), Gen:Heur.MSIL.Krypt.2 (FSecure), Dropper.Msil.BZ (AVG), Backdoor.Win32.PcClient.FD (Lavasoft MAS)
Behaviour: Trojan-Dropper, Trojan, Backdoor
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
MD5: 63ed7ac86f2a246abb94243fa864a2ab
SHA1: c5f02492436121b69ae22105da7437535e386890
SHA256: 5b194c98a1ba921658aace8b2e375eb7871563c952859514e143138bf3515aa7
SSDeep: 24576:iAvAkZIFFesoyXJ4dj3Ql8rIMM6QmOwvQGwKjuTrV7Ht3 4sP7s:R4qe83Ua4wvQGyD
Size: 1461829 bytes
File type: PE32
Platform: WIN32
Entropy: Not Packed
PEID:
Company: no certificate found
Created at: 2013-07-07 21:06:23
Analyzed on: WindowsXP SP3 32-bit
Summary:
Backdoor. Malware that enables a remote control of victim's machine.
Payload
No specific payload has been found.
Process activity
The Backdoor creates the following process(es):
58685.exe:1712
img_snapshot.exe:1088
%original file name%.exe:600
The Backdoor injects its code into the following process(es):
58685.exe:1128
rundll32.exe:1252
File activity
The process 58685.exe:1128 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\srvhosts1\srv.exe.exe (1038342 bytes)
%Documents and Settings%\%current user%\Application Data\r58Ies.tmp (18 bytes)
%System%\wbem\Logs\wbemprox.log (76 bytes)
%Documents and Settings%\%current user%\Óûðòýþõ üõýю\ßрþóрðüüы\ÃÂòтþ÷ðóру÷úð\srv.exe.exe (519171 bytes)
%Documents and Settings%\%current user%\Application Data\test.txt (64 bytes)
The Backdoor deletes the following file(s):
%Documents and Settings%\%current user%\Application Data\srvhosts1\srv.exe.exe (0 bytes)
%Documents and Settings%\%current user%\Application Data\srvhosts1 (0 bytes)
The process 58685.exe:1712 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\58685\58685.exe (519171 bytes)
The process img_snapshot.exe:1088 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\58685.exe (781315 bytes)
The process %original file name%.exe:600 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Application Data\GDIPFONTCACHEV1.DAT (18432 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\img_snapshot.exe (1263104 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\uyrfg.png (143594 bytes)
Registry activity
The process 58685.exe:1128 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F1 C5 F7 D2 FB 45 42 3F 61 21 8F 89 07 8D 2D B1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Óûðòýþõ üõýю\ßрþóрðüüы\ÃÂòтþ÷ðóру÷úð"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Environment]
"SEE_MASK_NOZONECHECKS" = "1"
To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"srvhosts" = "%Documents and Settings%\%current user%\Application Data\srvhosts1\srv.exe.exe"
The process 58685.exe:1712 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "61 32 64 7B 88 C6 1E 85 00 9F 87 69 4F B3 5A 6A"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Startup" = "%Documents and Settings%\%current user%\Óûðòýþõ üõýю\ßрþóрðüüы\ÃÂòтþ÷ðóру÷úð"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
"Desktop" = "%Documents and Settings%\%current user%\àðñþчøù ÑÂтþû"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Application Data\58685]
"58685.exe" = "Windows Sidebar"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d45-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d8c0d8da-77bd-11e0-bb02-000c293bc0fd}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d42-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\àðñþчøù ÑÂтþû"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Ãâ€Ã¾ÃºÑƒÃ¼ÃµÃ½Ñ‚Ñ‹"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\Ãœþø ôþúуüõýты"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ebcf8d94-66db-11de-b228-806d6172696f}]
"BaseClass" = "Drive"
The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The process img_snapshot.exe:1088 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "29 BE 64 38 06 8A B8 AD 26 AA 6C 10 8A 89 6E 55"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Temp]
"58685.exe" = "Windows Sidebar"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d45-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d8c0d8da-77bd-11e0-bb02-000c293bc0fd}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d42-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ebcf8d94-66db-11de-b228-806d6172696f}]
"BaseClass" = "Drive"
The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The process %original file name%.exe:600 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "48 86 FC C2 0A 4B E3 94 84 A3 37 AC EF 72 48 9C"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Temp]
"img_snapshot.exe" = "Windows Sidebar"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Ãâ€Ã¾ÃºÑƒÃ¼ÃµÃ½Ñ‚Ñ‹"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"shimgvw.dll" = "ßрþóрðüüð ÿрþÑÂüþтрð ø÷þñрðöõýøù ø фðúÑÂþò"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\àðñþчøù ÑÂтþû"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d45-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d8c0d8da-77bd-11e0-bb02-000c293bc0fd}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d42-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\àðñþчøù ÑÂтþû"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\Ãœþø ôþúуüõýты"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ebcf8d94-66db-11de-b228-806d6172696f}]
"BaseClass" = "Drive"
The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process rundll32.exe:1252 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5F 6C 1E 7E AB E1 A1 80 14 31 05 51 A9 61 83 2C"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d45-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d42-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ebcf8d94-66db-11de-b228-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d8c0d8da-77bd-11e0-bb02-000c293bc0fd}]
"BaseClass" = "Drive"
Dropped PE files
| MD5 | File path |
|---|---|
| b214054a3814d5522e6e043aa99fe947 | c:\Documents and Settings\test\Application Data\58685\58685.exe |
| b214054a3814d5522e6e043aa99fe947 | c:\Documents and Settings\test\Application Data\srvhosts1\srv.exe.exe |
| b214054a3814d5522e6e043aa99fe947 | c:\Documents and Settings\test\Local Settings\Temp\58685.exe |
| 1961563261f3d2941c3f042435152adf | c:\Documents and Settings\test\Local Settings\Temp\img_snapshot.exe |
| b214054a3814d5522e6e043aa99fe947 | c:\Documents and Settings\test\Ãëà âÃîå ìåÃþ\Ãðîãðà ììû\Àâòîçà ãðóçêà \srv.exe.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
VersionInfo
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 8192 | 11156 | 11264 | 3.94803 | d22c0ec9df09f47ea0b5789ed0805030 |
| .sdata | 24576 | 133 | 512 | 1.33153 | efdf98cbec93a19bfa17303b5d8e62cd |
| .rsrc | 32768 | 271846 | 271872 | 3.83993 | 72ef9b0f7e9cba1e321d24ed36e1a92d |
| .reloc | 311296 | 12 | 512 | 0.056519 | 1b764c005bb6e335331f2c452e8258c4 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
URLs
No activity has been detected.
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Web Traffic was not found.
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
58685.exe:1712
img_snapshot.exe:1088
%original file name%.exe:600 - Delete the original Backdoor file.
- Delete or disinfect the following files created/modified by the Backdoor:
%Documents and Settings%\%current user%\Application Data\srvhosts1\srv.exe.exe (1038342 bytes)
%Documents and Settings%\%current user%\Application Data\r58Ies.tmp (18 bytes)
%System%\wbem\Logs\wbemprox.log (76 bytes)
%Documents and Settings%\%current user%\Óûðòýþõ üõýю\ßрþóрðüüы\ÃÂòтþ÷ðóру÷úð\srv.exe.exe (519171 bytes)
%Documents and Settings%\%current user%\Application Data\test.txt (64 bytes)
%Documents and Settings%\%current user%\Application Data\58685\58685.exe (519171 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\58685.exe (781315 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\GDIPFONTCACHEV1.DAT (18432 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\img_snapshot.exe (1263104 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\uyrfg.png (143594 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"srvhosts" = "%Documents and Settings%\%current user%\Application Data\srvhosts1\srv.exe.exe" - Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
