HKTL_PIDACCESS

 Analysis by: Michael Cabel
 Modified by: Christopher Daniel So

 ALIASES:

BackDoor-EKF (McAfee)

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 REPORTED INFECTION:
 SYSTEM IMPACT RATING:
 INFORMATION EXPOSURE:

  • Threat Type: Hacking Tool

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

This hacking tool arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It may be manually installed by a user.

This malware does not have any propagation routine.

This malware does not have any backdoor routine.

This malware does not have any downloading capability.

This malware does not have any information-stealing capability.

  TECHNICAL DETAILS

File Size:

6,656 bytes

File Type:

EXE

Memory Resident:

No

Initial Samples Received Date:

17 Oct 2011

Arrival Details

This hacking tool arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It may be manually installed by a user.

Propagation

This malware does not have any propagation routine.

Backdoor Routine

This malware does not have any backdoor routine.

Download Routine

This malware does not have any downloading capability.

Information Theft

This malware does not have any information-stealing capability.

NOTES:

Rootkit Capabilities

This hacking tool does not have rootkit capabilities.

Other Details

This hacking tool is a command line tool used to create a process, whose process user and permissions will be copied from an existing process.

It has the following syntax:

{hacking tool file name} {process name} {file name to execute} [-s] [-t delay]

where:

  • {hacking tool file name} - the file name of this hacking tool
  • {process name} - the name of the process from where the process user and permissions will be copied
  • {file name to execute} - the file to be executed whose user and permissions are copied from {process name}
  • -t delay - an optional parameter that specifies the delay (in seconds) after the system was started before executing {file name to execute}. If not specified, {file name to execute} is executed immediately

Although the optional command-line parameter-s can be specified, it is not used by this hacking tool.

This hacking tool does not exploit any vulnerability.

  SOLUTION

Minimum Scan Engine:

9.200

SSAPI PATTERN File:

1.227.00

SSAPI PATTERN Date:

19 Oct 2011

Step 1

For Windows XP users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.

Step 2

Scan your computer with your Trend Micro product to delete files detected as HKTL_PIDACCESS If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.