BKDR_PCCLIENT.ZX

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes the files it drops, prompting the affected system to exhibit the malicious routines they contain.

Arrival Details

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This backdoor drops the following files:

• %Application Data%\e.mpg
• %Application Data%\ggd.exe
• %Application Data%\pgd.bat
• %Application Data%\q.mpg
• %Application Data%\r.mpg
• %Application Data%\w.mpg

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Application Data on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003.)

Autostart Technique

This backdoor creates the following registry entries to enable automatic execution of dropped component at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\RunOnce
Network Sharing Media = "%programfiles%\Windows Media Player\Network Sharing\Network Media Update.exe ,Media Network Sharing"

Dropping Routine

This backdoor drops the following files:

• %Program Files%\Windows Media Player\Network Sharing\Network Media Update.exe - detected as BKDR_PCCLIENT.ZU

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files.)

It executes the files it drops, prompting the affected system to exhibit the malicious routines they contain.