Home / malware Backdoor:Win32/PcClient
First posted on 15 February 2019.
Source: MicrosoftAliases :
Backdoor:Win32/PcClient is also known as Backdoor.Win32.PcClient.kf, Backdoor.PcClient.PA, Trojan horse BackDoor.PcClient.2.AB, Backdoor.Pcclient.ADO, BackDoor-CKB, Trojan-Downloader.Agent.AHB, Backdoor.Formador, BKDR_PCCLIENT.VK.
Explanation :
Backdoor:Win32/PcClient is a backdoor trojan family with several components including a key logger, backdoor, and a rootkit. InstallationUpon execution, Backdoor:Win32/PcClient usually drops two components in the system, for example:
Yelgcgmh.d1l - the backdoor component Yelgcgmh.dll - the keylogger component driversYelgcgmh.sys - rootkit/ system driver component; this file may be added as a service and is capable of hiding processes, files, registry entries and network traffic Note that for the first two dropped files, one has the extension "D1L" while the second has the extension "DLL". Note - refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:WinntSystem32; and for XP and Vista is C:WindowsSystem32. To add its dropped SYS file as a service, it may create its corresponding registry entries: Adds value: "Type"
With data: "1"
Adds value: "Start"
With data: "3"
Adds value: "ErrorControl"
With data: "1"
Adds value: "ImagePath"
With data: "driversYelgcgmh.sys"
Adds value: "DisplayName"
With data: "Yelgcgmh"
To subkey: HKLMSYSTEMCurrentControlSetServicesYelgcgmh Its backdoor component is usually injected into the 'svchost.exe' process, and is capable of updating itself and accepting and executing commands from a remote attacker. It modifies an existing registry entry to allow itself to automatically run when Windows starts: Modifies value: "ServiceDll"
From data: "dmserver.dll"
To data: "Yelgcgmh.d1l"
In subkey: HKLMSYSTEMCurrentControlSetServicesdmserverParameters Payload Contains Backdoor FunctionalitiesBackdoor:Win32/PcClient may connect to a remote Web site using a specific port, for example 'neverstop.3322.org:8080'. It may then receive and execute commands from a remote attacker. Logs KeystrokesBackdoor:Win32/PcClient logs keystrokes and saves its gathered data to a log file usually located in the Windows system folder, for example 'log.txt'. Analysis by Francis Allan Tan Seng Last update 15 February 2019
