Follow:

You have been re-routed to the Backdoor:Win32/Morix.B write up because Backdoor%3aWin32%2fMorix.B has been renamed to Backdoor:Win32/Morix.B
 

Backdoor:Win32/Morix.B


Microsoft security software detects and removes this threat.

This threat can give a malicious hacker unauthorized access and control of your PC.

Find out ways that malware can get on your PC.



What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find hidden malware.

Get more help

You can also see our advanced troubleshooting page for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation
This threat can create files on your PC, including:

It modifies the registry so that it runs each time you start your PC. For example:

In subkey: HKLM\system\currentcontrolset\services\appmgmt\parameters
Sets value: "ServiceDll"
With data: "%ProgramFiles%\%program files%\wdcp.dll"

It can make various registry changes during its installation, including:

In subkey: HKLM\software\microsoft\windows\currentversion\run
Sets value: "(default)"
With data: "file:%SystemRoot%\362.vbs"

Payload

Allows backdoor access and control

This threat can give a malicious hacker access and control of your PC. They can then perform a number of different actions, such as:

  • Deleting files
  • Downloading and running files
  • Logging your keystrokes or stealing your sensitive data
  • Modifying your system settings
  • Running or stopping applications
  • Spreading malware to other PCs
  • Uploading files
Additional information

Creates a mutex

This threat can create a mutex on your PC. For example:

  • QQQQQQrrGxvbGxtL2utbO9sq6pp6enp6==

It might use this mutex as an infection marker to prevent more than one copy of the threat running on your PC.

This malware description was published using automated analysis of file SHA1 21955bba654878e036dcf886b73975bab25c1266.


Symptoms

The following can indicate that you have this threat on your PC:

  • You see registry modifications such as:
    • In subkey: HKLM\software\microsoft\windows\currentversion\run
      Sets value: "(default)"
      With data: "file:%SystemRoot%\362.vbs"

    • In subkey: HKLM\system\currentcontrolset\services\appmgmt\parameters
      Sets value: "ServiceDll"
      With data: "%ProgramFiles%\%program files%\wdcp.dll"

    • In subkey: HKLM\system\currentcontrolset\services\appmgmt
      Sets value: "Start"
      With data: "2"

  • The presence of a mutex such as:
    • QQQQQQrrGxvbGxtL2utbO9sq6pp6enp6==

Prevention


Alert level: Severe
First detected by definition: 1.97.544.0
Latest detected by definition: 1.203.795.0 and higher
First detected on: Jan 28, 2011
This entry was first published on: Mar 27, 2015
This entry was updated on: Mar 30, 2015

This threat is also detected as:
  • Spyware.Ardakey (Symantec)
  • WORM_PALEVO.SMUS (Trend Micro)