Home / malwarePDF  

Backdoor:Win32/PcClient.ZP


First posted on 04 May 2010.
Source: SecurityHome

Aliases :

Backdoor:Win32/PcClient.ZP is also known as Win-Trojan/PcClient.42008 (AhnLab), Backdoor.Win32.PcClient.ym (Kaspersky), Backdoor.Pcclient.NK (VirusBuster), Backdoor.Pcclient.ADO (BitDefender), BackDoor.PcClient (Dr.Web), Win32/PcClient.YM (ESET), BackDoor.PcClient (Ikarus), Troj/PcClien-UA (Sophos), Backdoor.Formador (Symantec).

Explanation :

Backdoor:Win32/PcClient.ZP is a trojan that connects to a remote Web site to allow backdoor access and control to the computer in which it is installed. When run, it drops other malware and hooks certain functions and APIs.
Top

Backdoor:Win32/PcClient.ZP is a trojan that connects to a remote Web site to allow backdoor access and control to the computer in which it is installed. When run, it drops other malware and hooks certain functions and APIs. Payload Allows backdoor access and control Backdoor:Win32/PcClient.ZP may connect to the following Web sites to receive commands, including some that may allow a remote attacker access and control to the computer:

  • vbandy.3322.org
  • flysufei.3322.org
  • Drops other malware When executed, Backdoor:Win32/PcClient.ZP drops the following files using random file names: <system folder>\<random name 1>.dll - detected as Backdoor:Win32/PcClient.AC <system folder>\<random name 2>.drv - detected as Backdoor:Win32/PcClient.BT.dll <system folder>\drivers\<random name 3>.sys - detected as Backdoor:WinNT/PcClient.gen Some sample file names it may use are: <system folder>\jdqfpzfp.dll <system folder>\jdqfpzfp.drv <system folder>\drivers\jdqfpzfp.sys Hooks certain functions and APIs Backdoor:Win32/PcClient.ZP may hooks the following functions and APIs to hide files and registry keys: NtDeviceIoControlFile NtEnumerateKey NtOpenKey NtQueryDirectoryFile NtQuerySystemInformation

    Analysis by Andrei Florin Saygo

    Last update 04 May 2010

     

    TOP