Backdoor.Win32.PcClient_de1842bfc3
Trojan-Dropper.Win32.TDSS.axri (Kaspersky), Trojan.Win32.Generic.pak!cobra (VIPRE), Trojan-Dropper.Win32.Strigy!IK (Emsisoft), Backdoor.Win32.PcClient.FD (Lavasoft MAS)
Behaviour: Trojan-Dropper, Trojan, Backdoor
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
MD5: de1842bfc3476969600dd1dd3d8aaf16
SHA1: 184c09e4c8c0748b097249b87aebb79f727cccf2
SHA256: fe57ac1afec018a40a32674ff1e6aec3734ff6489b07b724da12c71ffa708472
SSDeep: 3072:U4NvTuAoR7UhG2ccA0na9E66uzUXd7sQfcQQ:U44oXcc3a9EQ0FsQ0Q
Size: 157813 bytes
File type: PE32
Platform: WIN32
Entropy: Packed
PEID:
Company: no certificate found
Created at: 2011-03-29 04:29:18
Summary:
Backdoor. Malware that enables a remote control of victim's machine.
Payload
No specific payload has been found.
Process activity
The Backdoor creates the following process(es):
de1842bfc3476969600dd1dd3d8aaf16.exe:1168
spoolsv.exe:664
The Backdoor injects its code into the following process(es):
rundll32.exe:1816
File activity
The process de1842bfc3476969600dd1dd3d8aaf16.exe:1168 makes changes in a file system.
The Backdoor creates and/or writes to the following file(s):
C:\a.jpg (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\print32.dll (104 bytes)
%System%\spoolss.dll (540 bytes)
%Program Files%\Common Files\odbc.nls (194855 bytes)
The Backdoor deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\print32.dll (0 bytes)
Registry activity
The process de1842bfc3476969600dd1dd3d8aaf16.exe:1168 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%WinDir%\temp\s31307.dat,"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"shimgvw.dll" = "Windows Picture and Fax Viewer"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The process spoolsv.exe:664 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DF 98 26 5F 01 B6 8F EE D9 24 39 9B 20 95 4D F9"
[HKU\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Devices]
"Microsoft XPS Document Writer" = "winspool,Ne00:"
[HKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts]
"Microsoft XPS Document Writer" = "winspool,Ne00:,15,45"
[HKU\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts]
"Microsoft XPS Document Writer" = "winspool,Ne00:,15,45"
[HKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"Device" = "Microsoft XPS Document Writer,winspool,Ne00:"
[HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Devices]
"Microsoft XPS Document Writer" = "winspool,Ne00:"
[HKLM\System\CurrentControlSet\Services\Eventlog\System\TCPMon]
"TypesSupported" = "7"
[HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"Device" = "Microsoft XPS Document Writer,winspool,Ne00:"
[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Devices]
"Microsoft XPS Document Writer" = "winspool,Ne00:"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers]
"DefaultSpoolDirectory" = "%WinDir%\System32\spool\PRINTERS"
[HKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Devices]
"Microsoft XPS Document Writer" = "winspool,Ne00:"
[HKLM\System\CurrentControlSet\Services\Eventlog\System\Print]
"TypesSupported" = "7"
[HKU\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"Device" = "Microsoft XPS Document Writer,winspool,Ne00:"
[HKCU\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts]
"Microsoft XPS Document Writer" = "winspool,Ne00:,15,45"
[HKLM\System\CurrentControlSet\Services\Eventlog\System\TCPMon]
"EventMessageFile" = "%SystemRoot%\System32\tcpmon.dll"
[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"Device" = "Microsoft XPS Document Writer,winspool,Ne00:"
[HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts]
"Microsoft XPS Document Writer" = "winspool,Ne00:,15,45"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports]
"Ne00:" = ""
[HKLM\System\CurrentControlSet\Control\Print]
"BeepEnabled" = "0"
The Backdoor deletes the following value(s) in system registry:
[HKU\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Devices]
"Microsoft XPS Document Writer"
[HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"Device"
[HKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts]
"Microsoft XPS Document Writer"
[HKU\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts]
"Microsoft XPS Document Writer"
[HKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"Device"
[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"Device"
[HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Devices]
"Microsoft XPS Document Writer"
[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Devices]
"Microsoft XPS Document Writer"
[HKU\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts]
"Microsoft XPS Document Writer"
[HKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Devices]
"Microsoft XPS Document Writer"
[HKU\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"Device"
[HKCU\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts]
"Microsoft XPS Document Writer"
The process rundll32.exe:1816 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "40 42 98 E1 41 07 28 0C 5F 96 AF 24 05 8E 99 22"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
Network activity (URLs)
No activity has been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
de1842bfc3476969600dd1dd3d8aaf16.exe:1168
- Delete the original Backdoor file.
- Delete or disinfect the following files created/modified by the Backdoor:
C:\a.jpg (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\print32.dll (104 bytes)
%System%\spoolss.dll (540 bytes)
%Program Files%\Common Files\odbc.nls (194855 bytes) - Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
