Follow:

You have been re-routed to the Backdoor:Win32/PcClient.ZR write up because Backdoor%3aWin32%2fPcClient.ZR has been renamed to Backdoor:Win32/PcClient.ZR
 

Backdoor:Win32/PcClient.ZR


Backdoor:Win32/PcClient.ZR , a variant of the Backdoor:Win32/PcClient family, is malware that may be used by other Backdoor:Win32/PcClient components and may allow backdoor access and control of an affected computer.

This malware may also download and execute additional components onto your computer.



What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

Threat behavior

Backdoor:Win32/PcClient.ZR , a variant of the Backdoor:Win32/PcClient family, is malware that may be used by other Backdoor:Win32/PcClient components and may allow backdoor access and control of an affected computer.

This malware may also download and execute additional components onto your computer.

Installation

Backdoor:Win32/PcClient.ZR is a component DLL (dynamic link library) file that is dropped by a separate Backdoor:Win32/PcClient malware package into the Windows System folder. In the wild we have seen the DLL file with the following file names:

  • <system folder>\17971656.dll
  • <system folder>\6to432.dll

Note: <system folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the System folder for Windows 2000 and NT is "C:\Winnt\System32"; for XP, Vista, and 7 it is "C:\Windows\System32".

Backdoor:Win32/PcClient.ZR registers itself as a service on your computer by modifying the registry as follows:

In subkey: HKLM\SystemCurrentControlSet\Services\<service name>\Parameters (for example, "HKLM\SystemCurrentControlSet\Services\17971656\Parameters")
Sets value: "ServiceDll"
With data: "<system folder>\<DLL file name>" (for example, "<system folder>\17971656.dll")

Payload

Allows backdoor access and control

Backdoor:Win32/PcClient.ZR may attempt to connect to the website "fghziyi.3322.org" using a specific port. It may connect to port 1229 or the default HTTP port 80 to download arbitrary files or receive commands.

Logs keystrokes

Backdoor:Win32/PcClient.ZR collects information about your computer and starts a keylogging routine to monitor and collect information about the following:

  • System activity, such as keystrokes
  • Window titles
  • User names
  • Passwords

It saves this information to the file "<system folder>\syslog.dat".

Additional information

Backdoor:Win32/PcClient.ZR also performs the following registry modification:

In subkey: HKLM\SystemCurrentControlSet\Services\<service name> (for example, "HKLM\SystemCurrentControlSet\Services\17971656")
Sets value: "rcx"
Sets value: "reg"
With data: "<blank>"

This modification may be used as an infection marker, which could indicate the presence of this malware on your computer.

Analysis by Jireh Sanico


Symptoms

System changes

The following system changes may indicate the presence of this malware:

  • The presence of the following files:

    <system folder>\syslog.dat

  • The presence of the following registry modifications:

    In subkey: HKLM\SystemCurrentControlSet\Services\<service name>\Parameters (for example, "HKLM\SystemCurrentControlSet\Services\17971656\Parameters")
    Sets value: "ServiceDll"
    With data: "<system folder>\<DLL file name>" (for example, <system folder>\17971656.dll)

    In subkey: HKLM\SystemCurrentControlSet\Services\<service name> (for example, "HKLM\SystemCurrentControlSet\Services\17971656")
    Sets value: "rcx"
    Sets value: "reg"
    With data: "<blank>"

Prevention


Alert level: Severe
First detected by definition: 1.95.3914.0
Latest detected by definition: 1.187.1699.0 and higher
First detected on: Jan 14, 2011
This entry was first published on: Jan 14, 2011
This entry was updated on: Jul 23, 2012

This threat is also detected as:
  • Win32/Farfli.AK trojan (ESET)
  • BackDoor.Bull.130 (Dr.Web)
  • Backdoor.Torr!L1dYZ/5Uy+Y (VirusBuster)
  • Backdoor.Win32.Drwolf.hnu (Rising AV)
  • Backdoor.Win32.Torr.fkf (Kaspersky)
  • Mal_Vundo-4 (Trend Micro)
  • W32/Redosdru.D.gen!Eldorado (Command)
  • Win-Trojan/Securisk (AhnLab)