Backdoor.Win32.PcClient_e86e44e6c7

by malwarelabrobot on January 13th, 2014 in Malware Descriptions.

Gen:Heur.JAPIK.6 (BitDefender), TrojanDropper:Win32/Sinmis.B (Microsoft), HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.Encpk.zqa (v) (VIPRE), Trojan.Packed.2351 (DrWeb), Gen:Heur.JAPIK.6 (B) (Emsisoft), Downloader-CMY.a (McAfee), Trojan-Downloader.Win32.Karagany (Ikarus), Downloader.Generic_r.LY (AVG), Win32:Zbot-NFK [Trj] (Avast), TROJ_IKYTOK.SMI (TrendMicro), Backdoor.Win32.PcClient.FD, Tdl4.YR (Lavasoft MAS)
Behaviour: Trojan-Dropper, Trojan-Downloader, Trojan, Backdoor, Packed


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Technical Details
Removal Recommendations

MD5: e86e44e6c774b5ef575adf5eff7dc7c7
SHA1: 679aa34413c4832a9b5379fb330cd263a3e9a62b
SHA256: d3ec31784027f1161307abf2ed6947732786b6f6ae976628d0baa749e2d293c1
SSDeep: 6144:EZA6jAH8m3ObJjP1yufjBqZ eaIbyhh2ehhQ4NG0oG:EbAc8mHyuq pIbyhhQGG0
Size: 342016 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company: no certificate found
Created at: 2011-06-13 16:49:44
Analyzed on: WindowsXP SP3 32-bit


Summary:

Backdoor. Malware that enables a remote control of victim's machine.

Payload

No specific payload has been found.

Process activity

The Backdoor creates the following process(es):

3f475710.exe:768
%original file name%.exe:336
rundll32.exe:1576
1509445b.exe:1260

The Backdoor injects its code into the following process(es):

spoolsv.exe:1424
rundll32.exe:1700

File activity

The process 3f475710.exe:768 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\1.tmp (673 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\2.tmp (0 bytes)

The process %original file name%.exe:336 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\d8e7b49f.exe (1436 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1c0386cf.exe (1673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3f475710.exe (16124 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1509445b.exe (8671 bytes)

The process spoolsv.exe:1424 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%WinDir%\Temp\3.tmp (39 bytes)

The Backdoor deletes the following file(s):

%WinDir%\Temp\3.tmp (0 bytes)
%System%\drivers\etc\hosts (0 bytes)

The process 1509445b.exe:1260 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%WinDir%\sqrpcs.dll (118 bytes)

Registry activity

The process 3f475710.exe:768 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B1 90 4C 41 D4 7E 94 4E 54 29 7D 2E 2E F4 D1 58"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\4.tmp,"

The process spoolsv.exe:1424 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Services\27989140]
"imagepath" = "\??\%WinDir%\TEMP\3.tmp"

[HKLM\System\CurrentControlSet\Control\Print\Providers\367567872]
"Name" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\2.tmp"

[HKLM\System\CurrentControlSet\Control\Print\Providers]
"Order" = "LanMan Print Services, Internet Print Provider, 367567872"

[HKLM\System\CurrentControlSet\Services\27989140]
"type" = "1"

The Backdoor deletes the following registry key(s):

[HKLM\System\CurrentControlSet\Services\27989140]
[HKLM\System\CurrentControlSet\Services\27989140\Enum]
[HKLM\System\CurrentControlSet\Control\Print\Providers\367567872]

The process rundll32.exe:1700 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "60 2D E3 7C 59 57 5C 0A 8B DF ED 9F 67 48 B6 39"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Wtube]
"Eqegaqojoqoka" = "186"

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Ihoragiqinicim" = "rundll32.exe %WinDir%\sqrpcs.dll,Startup"

The process rundll32.exe:1576 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7A 0C 87 FF CF 25 8F 7A A0 37 43 0A 2E 2A 06 4D"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Wtube]
"Bveqayeweci" = "43 01 38 03 58 05 51 07 41 09 44 0B 48 0D 41 0F"

The process 1509445b.exe:1260 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "97 65 C7 47 18 7F 85 22 7F EE 77 BD 8D 53 B3 24"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Wtube]
"Bveqayeweci" = "43 01 38 03 58 05 51 07 41 09 44 0B 48 0D 41 0F"
"Ydapup" = "45 01 36 03 3C 05 37 07 3E 09 39 0B 4E 0D 3B 0F"

Network activity (URLs)

URL IP
081207de011e.linkbuzz.net Unresolvable


HOSTS file anomalies

No changes have been detected.

Rootkit activity

Using the driver "UNKNOWN" the Backdoor controls loading executable images into a memory by installing the Load image notifier.

The Backdoor intercepts DriverStartIO in a miniport driver of a hard drive controller (ATAPI) to handle request to its own files:

StartIo

Propagation


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    3f475710.exe:768
    %original file name%.exe:336
    rundll32.exe:1576
    1509445b.exe:1260

  3. Delete the original Backdoor file.
  4. Delete or disinfect the following files created/modified by the Backdoor:

    %Documents and Settings%\%current user%\Local Settings\Temp\1.tmp (673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\d8e7b49f.exe (1436 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1c0386cf.exe (1673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3f475710.exe (16124 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1509445b.exe (8671 bytes)
    %WinDir%\Temp\3.tmp (39 bytes)
    %WinDir%\sqrpcs.dll (118 bytes)

  5. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Ihoragiqinicim" = "rundll32.exe %WinDir%\sqrpcs.dll,Startup"

  6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  7. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now