sobota 25. února 2012

Backdoor:Win32/PcClient.Z


Encyclopedia entry
Updated: Jul 01, 2011  |  Published: Aug 30, 2007

Aliases
  • Backdoor.Win32.PcClient.zn (Kaspersky)
  • Backdoor.PcClient.BQO (VirusBuster)
  • BDS/Backdoor.Gen (Avira)
  • BackDoor.PcClient (Dr.Web)
  • Win32/PcClient.NAS (ESET)
  • BackDoor-CKB.gen.b (McAfee)
  • Mal/PCClient-R (Sophos)
  • Mal_PClnt-2 (Trend Micro)

Alert Level (?)
Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
Detection last updated:
Definition: 1.121.359.0
Released: Feb 24, 2012
Detection initially created:
Definition: 1.45.287.0
Released: Oct 07, 2008


 

Summary

Backdoor:Win32/PcClient.Z is a backdoor trojan with several components including a keylogger, backdoor, and a rootkit. It is usually disguised as or packaged with legitimate applications.


 

Symptoms

System changes
The following system changes may indicate the presence of this malware:
  • The presence of the following files:
    • <system folder>\IESSDD.dll
    • <system folder>\drivers\IESSDD.sys
    • <system folder>\gdiplus.dll
  • The presence of the following registry modifications:
    In subkey: HKLM\SYSTEM\CurrentControlSet\Services
    Sets value: "Service name"
    With data: "IESSDD"
    Sets value: "Display name"
    With data: "IESSDD"
    Sets value: "Type"
    With data: "0x00000110"
    Sets value: "Start"
    With data: "Auto"
    Sets value: "ErrorControl"
    With data: "0x00000001"
    Sets value: "ImagePath"
    With data: "<system folder>\svchost.exe -k IESSDD"
    Sets value: "DisplayName"
    With data: "IEESSS"
    Sets value: "ObjectName"
    With data: "LocalSystem"
    Sets value: "Description"
    With data: "IESSDER"
    In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
    Sets value: "IESSDD"
    With data: "hex(7):49,45,53,53,44,44,00,00,"


 

Technical Information (Analysis)

Backdoor:Win32/PcClient.Z is a backdoor trojan with several components including a keylogger, backdoor, and a rootkit. It is usually disguised as or packaged with legitimate applications.
Installation
Backdoor:Win32/PcClient.Z is the DLL component of the Backdoor:Win32/PcClient malware package. It consists of the following:
  • Dropper and installation component
  • Rootkit component
  • Backdoor component
It is dropped as the hidden file:
  • <system folder>\IESSDD.dll
The rootkit component is dropped as the following:
  • <system folder>\drivers\IESSDD.sys
Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
Backdoor:Win32/PcClient.Z installs this file as a device driver to perform stealth behavior.
Backdoor:Win32/PcClient.Z is registered as a service by creating the following registry entries:
In subkey: HKLM\SYSTEM\CurrentControlSet\Services
Sets value: "Service name"
With data: "IESSDD"
Sets value: "Display name"
With data: "IESSDD"
Sets value: "Type"
With data: "0x00000110"
Sets value: "Start"
With data: "Auto"
Sets value: "ErrorControl"
With data: "0x00000001"
Sets value: "ImagePath"
With data: "<system folder>\svchost.exe -k IESSDD"
Sets value: "DisplayName"
With data: "IEESSS"
Sets value: "ObjectName"
With data: "LocalSystem"
Sets value: "Description"
With data: "IESSDER"
It also creates the following registry entry as part of its installation process:
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
Sets value: "IESSDD"
With data: "hex(7):49,45,53,53,44,44,00,00,"
Payload
Allows backdoor access and control
Backdoor:Win32/PcClient.Z may connect to the website "linkangli.3322.org" using a specific port. As part of its installation process, it connects to port 8012 to download a component file or commands to execute.
It then connects to port 8000 to send information about the affected computer and to receive commands from the remote attacker.
Once it is installed as a service, it connects to the remote attacker via port 3030.
Backdoor:Win32/PcClient.Z is capable of performing the following backdoor activities:
  • Control the user's computer, which gives the remote attacker a view of the desktop and mosue and keyboard control
  • Send, receive, and remotely execute files
  • Escalate privileges for certain users
  • Restart or shut down the computer
  • Access files, folders, registry entries, and services
  • Collect system information
  • Download and upload files
  • Remotely execute files
All information gathered is saved in the Temporary Files folder with a random file name and sent to the remote attacker.
Logs keystrokes
Backdoor:Win32/PcClient.Z sets up a keylogging routine to monitor system activity, window titles, user names and passwords.
Additional information
Backdoor:Win32/PcClient.Z checks for the file <system folder>\gdiplus.dll as part of its infection marker.
Analysis by Zarestel Ferrer

Žádné komentáře:

Okomentovat

Poznámka: Komentáře mohou přidávat pouze členové tohoto blogu.