Backdoor:Win32/PcClient.ZR, a variant of the Backdoor:Win32/PcClient family, is malware that may be used by other Backdoor:Win32/PcClient components and may allow backdoor access and control of an affected computer.
This malware may also download and execute additional components onto your computer.
Backdoor:Win32/PcClient.ZR is a component DLL (dynamic link library) file that is dropped by a separate Backdoor:Win32/PcClient malware package into the Windows System folder. In the wild we have seen the DLL file with the following file names:
Note: <system folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the System folder for Windows 2000 and NT is "C:\Winnt\System32"; for XP, Vista, and 7 it is "C:\Windows\System32".
Backdoor:Win32/PcClient.ZR registers itself as a service on your computer by modifying the registry as follows:
In subkey: HKLM\SystemCurrentControlSet\Services\<service name>\Parameters (for example, "HKLM\SystemCurrentControlSet\Services\17971656\Parameters")
Sets value: "ServiceDll"
With data: "<system folder>\<DLL file name>" (for example, "<system folder>\17971656.dll")
Allows backdoor access and control
Backdoor:Win32/PcClient.ZR may attempt to connect to the website "fghziyi.3322.org" using a specific port. It may connect to port 1229 or the default HTTP port 80 to download arbitrary files or receive commands.
Backdoor:Win32/PcClient.ZR collects information about your computer and starts a keylogging routine to monitor and collect information about the following:
- System activity, such as keystrokes
- Window titles
- User names
It saves this information to the file "<system folder>\syslog.dat".
Backdoor:Win32/PcClient.ZR also performs the following registry modification:
In subkey: HKLM\SystemCurrentControlSet\Services\<service name> (for example, "HKLM\SystemCurrentControlSet\Services\17971656")
Sets value: "rcx"
Sets value: "reg"
With data: "<blank>"
This modification may be used as an infection marker, which could indicate the presence of this malware on your computer.
Analysis by Jireh Sanico