Backdoor:Win32/PcClient.ZR

Installation

Backdoor:Win32/PcClient.ZR is a component DLL (dynamic link library) file that is dropped by a separate Backdoor:Win32/PcClient malware package into the Windows System folder. In the wild we have seen the DLL file with the following file names:

• <system folder>\17971656.dll
• <system folder>\6to432.dll

Note: <system folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the System folder for Windows 2000 and NT is "C:\Winnt\System32"; for XP, Vista, and 7 it is "C:\Windows\System32".

Backdoor:Win32/PcClient.ZR registers itself as a service on your computer by modifying the registry as follows:

In subkey: HKLM\SystemCurrentControlSet\Services\<service name>\Parameters (for example, "HKLM\SystemCurrentControlSet\Services\17971656\Parameters")
Sets value: "ServiceDll"
With data: "<system folder>\<DLL file name>" (for example, "<system folder>\17971656.dll")

Payload

Allows backdoor access and control

Backdoor:Win32/PcClient.ZR may attempt to connect to the website "fghziyi.3322.org" using a specific port. It may connect to port 1229 or the default HTTP port 80 to download arbitrary files or receive commands.

Logs keystrokes

Backdoor:Win32/PcClient.ZR collects information about your computer and starts a keylogging routine to monitor and collect information about the following:

• System activity, such as keystrokes
• Window titles
• User names
• Passwords

It saves this information to the file "<system folder>\syslog.dat".

Additional information

Backdoor:Win32/PcClient.ZR also performs the following registry modification:

In subkey: HKLM\SystemCurrentControlSet\Services\<service name> (for example, "HKLM\SystemCurrentControlSet\Services\17971656")
Sets value: "rcx"
Sets value: "reg"
With data: "<blank>"

This modification may be used as an infection marker, which could indicate the presence of this malware on your computer.

Analysis by Jireh Sanico