Backdoor:Win32/PcClient is a backdoor trojan family with several components including a key logger, backdoor, and a rootkit.
Upon execution, Backdoor:Win32/PcClient usually drops two components in the system, for example:
- <system folder>\Yelgcgmh.d1l - the backdoor component
- <system folder>\Yelgcgmh.dll - the keylogger component
- <system folder>\drivers\Yelgcgmh.sys - rootkit/ system driver component; this file may be added as a service and is capable of hiding processes, files, registry entries and network traffic
Note that for the first two dropped files, one has the extension "D1L" while the second has the extension "DLL".
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
To add its dropped SYS file as a service, it may create its corresponding registry entries:
Adds value: "Type"
With data: "1"
Adds value: "Start"
With data: "3"
Adds value: "ErrorControl"
With data: "1"
Adds value: "ImagePath"
With data: "<system folder>\drivers\Yelgcgmh.sys"
Adds value: "DisplayName"
With data: "Yelgcgmh"
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\Yelgcgmh
Its backdoor component is usually injected into the 'svchost.exe' process, and is capable of updating itself and accepting and executing commands from a remote attacker. It modifies an existing registry entry to allow itself to automatically run when Windows starts:
Modifies value: "ServiceDll"
From data: "<system folder>\dmserver.dll"
To data: "<system folder>\Yelgcgmh.d1l"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\dmserver\Parameters
Contains Backdoor Functionalities
Backdoor:Win32/PcClient may connect to a remote Web site using a specific port, for example 'neverstop.3322.org:8080'. It may then receive and execute commands from a remote attacker.
Backdoor:Win32/PcClient logs keystrokes and saves its gathered data to a log file usually located in the Windows system folder, for example '<system folder>\log.txt'.
Analysis by Francis Allan Tan Seng