Follow:

You have been re-routed to the Backdoor:Win32/PcClient.ZL write up because Backdoor%3aWin32%2fPcClient.ZL has been renamed to Backdoor:Win32/PcClient.ZL
 

Backdoor:Win32/PcClient.ZL


Backdoor:Win32/PcClient.ZL is a trojan that allows limited backdoor access and control of an affected computer.


What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products will detect and remove this threat:
 
 
For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Threat behavior

Backdoor:Win32/PcClient.ZL is a trojan that allows limited backdoor access and control of an affected computer.
Installation
Backdoor:Win32/PcClient.ZL is commonly installed by other malware such as Trojan:Win32/Killav.KV or other variants of Win32/PcClient. This trojan may be present as a randomly named DLL component, such as the following:
 
  • <system folder>\rjmetvc.dll
 
Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
 
The registry is modified to run Backdoor:Win32/PcClient.ZL as a service, as in the following example:
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost
Sets value: "krnlsrvc"
With data: "1sa"
 
In subkey: HKLM\System\CurrentControlSet\Services\1sa
Sets value: "Description"
With data: "1aaa"
 
In subkey: HKLM\System\CurrentControlSet\Services\1sa\Parameters
Sets value: "ServiceDll"
With data: "<system folder>\rjmetvc.dll"
Payload
Allows backdoor access and control
Backdoor:Win32/PcClient.ZL may connect to the following websites using the specified TCP port to receive commands, including some that may allow a remote attacker access and control to the computer:
 
  • lgpk.2288.org via TCP port 1800
  • kiss58.3322.org via TCP port 8989
  • 192.168.1.102 via TCP port 8080
  • yoanhk.2288.org via TCP port 8080
Additional information
For more information about Backdoor:Win32/PcClient, see the description elsewhere in the encyclopedia.
 
Analysis by Patrick Nolan

Symptoms

System changes
The following system changes may indicate the presence of this malware:
  • The presence of the following file:

    <system folder>\rjmetvc.dll
  • The presence of the following registry modifications:
  • In subkey: HKLM\System\CurrentControlSet\Services\1sa
    Sets value: "Description"
    With data: "1aaa"
     
    In subkey: HKLM\System\CurrentControlSet\Services\1sa\Parameters
    Sets value: "ServiceDll"
    With data: "<system folder>\rjmetvc.dll"

    In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost
    Sets value: "krnlsrvc"
    With data: "1sa"

Prevention


Alert level: Severe
First detected by definition: 1.49.98.0
Latest detected by definition: 1.183.338.0 and higher
First detected on: Dec 04, 2008
This entry was first published on: Jan 26, 2011
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • VirTool:Win32/Obfuscator.XZ (other)
  • W32/Backdoor2.DHCR (Command)
  • Trojan.Win32.Xih.amn (Kaspersky)
  • DR/Xih.amn.2 (Avira)
  • Backdoor.Win32.PcClient (Ikarus)
  • Dropper.Win32.Mnless.emv (Rising AV)
  • Cryp_Xed-16 (Trend Micro)