Threat behavior
Backdoor:Win32/PcClient.ZL is a trojan that allows limited backdoor access and control of an affected computer.
Installation
Backdoor:Win32/PcClient.ZL is commonly installed by other malware such as Trojan:Win32/Killav.KV or other variants of Win32/PcClient. This trojan may be present as a randomly named DLL component, such as the following:
- <system folder>\rjmetvc.dll
Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
The registry is modified to run Backdoor:Win32/PcClient.ZL as a service, as in the following example:
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost
Sets value: "krnlsrvc"
With data: "1sa"
In subkey: HKLM\System\CurrentControlSet\Services\1sa
Sets value: "Description"
With data: "1aaa"
In subkey: HKLM\System\CurrentControlSet\Services\1sa\Parameters
Sets value: "ServiceDll"
With data: "<system folder>\rjmetvc.dll"
Payload
Allows backdoor access and control
Backdoor:Win32/PcClient.ZL may connect to the following websites using the specified TCP port to receive commands, including some that may allow a remote attacker access and control to the computer:
- lgpk.2288.org via TCP port 1800
- kiss58.3322.org via TCP port 8989
- 192.168.1.102 via TCP port 8080
- yoanhk.2288.org via TCP port 8080
Additional information
Analysis by Patrick Nolan
Prevention
