Home / malwarePDF  

Backdoor:Win32/PcClient.ZR


First posted on 02 March 2019.
Source: Microsoft

Aliases :

Backdoor:Win32/PcClient.ZR is also known as Win32/Farfli.AK trojan, BackDoor.Bull.130, Backdoor.Torr!L1dYZ/5Uy+Y, Backdoor.Win32.Drwolf.hnu, Backdoor.Win32.Torr.fkf, Mal_Vundo-4, W32/Redosdru.D.gen!Eldorado, Win-Trojan/Securisk.

Explanation :

Backdoor:Win32/PcClient.ZR, a variant of the Backdoor:Win32/PcClient family, is malware that may be used by other Backdoor:Win32/PcClient components and may allow backdoor access and control of an affected computer.

This malware may also download and execute additional components onto your computer.

Installation

Backdoor:Win32/PcClient.ZR is a component DLL (dynamic link library) file that is dropped by a separate Backdoor:Win32/PcClient malware package into the Windows System folder. In the wild we have seen the DLL file with the following file names:

17971656.dll 6to432.dll

Note: refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the System folder for Windows 2000 and NT is "C:WinntSystem32"; for XP, Vista, and 7 it is "C:WindowsSystem32".

Backdoor:Win32/PcClient.ZR registers itself as a service on your computer by modifying the registry as follows:

In subkey: HKLMSystemCurrentControlSetServicesParameters (for example, "HKLMSystemCurrentControlSetServices17971656Parameters")
Sets value: "ServiceDll"
With data: "" (for example, "17971656.dll")

Payload

Allows backdoor access and control

Backdoor:Win32/PcClient.ZR may attempt to connect to the website "fghziyi.3322.org" using a specific port. It may connect to port 1229 or the default HTTP port 80 to download arbitrary files or receive commands.

Logs keystrokes

Backdoor:Win32/PcClient.ZR collects information about your computer and starts a keylogging routine to monitor and collect information about the following:

System activity, such as keystrokes Window titles User names Passwords

It saves this information to the file "syslog.dat".

Additional information

Backdoor:Win32/PcClient.ZR also performs the following registry modification:

In subkey: HKLMSystemCurrentControlSetServices (for example, "HKLMSystemCurrentControlSetServices17971656")
Sets value: "rcx"
Sets value: "reg"
With data: ""

This modification may be used as an infection marker, which could indicate the presence of this malware on your computer.

Analysis by Jireh Sanico

Last update 02 March 2019

 

TOP

Malware :

Family: