Home / malware Backdoor:Win32/PcClient.ZP
First posted on 04 May 2010.
Source: SecurityHomeAliases :
Backdoor:Win32/PcClient.ZP is also known as Win-Trojan/PcClient.42008 (AhnLab), Backdoor.Win32.PcClient.ym (Kaspersky), Backdoor.Pcclient.NK (VirusBuster), Backdoor.Pcclient.ADO (BitDefender), BackDoor.PcClient (Dr.Web), Win32/PcClient.YM (ESET), BackDoor.PcClient (Ikarus), Troj/PcClien-UA (Sophos), Backdoor.Formador (Symantec).
Explanation :
Backdoor:Win32/PcClient.ZP is a trojan that connects to a remote Web site to allow backdoor access and control to the computer in which it is installed. When run, it drops other malware and hooks certain functions and APIs.
Top
Backdoor:Win32/PcClient.ZP is a trojan that connects to a remote Web site to allow backdoor access and control to the computer in which it is installed. When run, it drops other malware and hooks certain functions and APIs. Payload Allows backdoor access and control Backdoor:Win32/PcClient.ZP may connect to the following Web sites to receive commands, including some that may allow a remote attacker access and control to the computer:vbandy.3322.org flysufei.3322.org Drops other malware When executed, Backdoor:Win32/PcClient.ZP drops the following files using random file names: <system folder>\<random name 1>.dll - detected as Backdoor:Win32/PcClient.AC <system folder>\<random name 2>.drv - detected as Backdoor:Win32/PcClient.BT.dll <system folder>\drivers\<random name 3>.sys - detected as Backdoor:WinNT/PcClient.gen Some sample file names it may use are: <system folder>\jdqfpzfp.dll <system folder>\jdqfpzfp.drv <system folder>\drivers\jdqfpzfp.sys Hooks certain functions and APIs Backdoor:Win32/PcClient.ZP may hooks the following functions and APIs to hide files and registry keys: NtDeviceIoControlFile NtEnumerateKey NtOpenKey NtQueryDirectoryFile NtQuerySystemInformation
Analysis by Andrei Florin SaygoLast update 04 May 2010
