HackTool.Win32.TermsrvPatch.GA

This Hacking Tool arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It does not have any propagation routine.

It does not have any backdoor routine.

It does not have any information-stealing capability.

It connects to certain websites to send and receive information.

Arrival Details

This Hacking Tool arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Hacking Tool adds the following mutexes to ensure that only one of its copies runs at any one time:

• UniversalTermsrvPatch

Other System Modifications

This Hacking Tool modifies the following file(s):

• %System%\termsrv.dll → Patches this system file to bypass RDP concurrent session limits

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

Propagation

This Hacking Tool does not have any propagation routine.

Backdoor Routine

This Hacking Tool does not have any backdoor routine.

Rootkit Capabilities

This Hacking Tool does not have rootkit capabilities.

Information Theft

This Hacking Tool does not have any information-stealing capability.

Other Details

This Hacking Tool connects to the following website to send and receive information:

• http://{BLOCKED}soft.com
• http://{BLOCKED}date.com

It does the following:

• It creates the following backup files before modification:
  • %System%\termsrv.dll.backup
• It copies patched files to the following location to bypass Windows File Protection:
  • %System%\dllcache\termsrv.dll
• It creates a working copy (termsrv.dll.tmp) and applies patches to the temporary file.
• It writes a signature marker ("deepxw") at the end of patched files to identify previously patched versions.
• It elevates privileges by enabling SeShutdownPrivilege.
• It queries certificate trust providers and cryptographic OID handlers from the registry.
• It connects to Microsoft servers to check certificate revocation lists (CRL).
• It uses the following program version:
  • Universal Termsrv.dll Patch 1.0.0.5

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

It accepts the following parameters:

• -silent → Suppresses all dialog boxes for unattended operation. When enabled, success and failure messages are not displayed, allowing silent deployment via scripts or Group Policy.
• -path → Enables custom termsrv.dll path specification. Allows specifying an alternate location instead of the default %System%\termsrv.dll.
• -nt61 → Forces Windows 7/Server 2008 R2 (NT 6.1) patching mode. Bypasses automatic OS version detection and applies Windows 7-specific patch bytes.
• -deepscan → Enables comprehensive termsrv.dll signature analysis. Performs thorough verification and scans for existing patches before applying new ones.

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

It does not exploit any vulnerability.