arrow_back
search
close

Backdoor.Win32.FUPORPLEX.B

December 08, 2020
 Analysis by: Mohammed Malubay
 ALIASES:

Trojan-Downloader.Win32.Delf(IKARUS); Trojan.Win32.Vemptik.hfs(KASPERSKY);

 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Downloaded from the Internet


This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It does not have any propagation routine.

It hides files, processes, and/or registry entries.

  TECHNICAL DETAILS

File Size:

2,801,664 bytes

File Type:

Other

Initial Samples Received Date:

18 May 2020

Payload:

Connects to URLs/IPs, Steals information, Hides files and processes, Drops files

Arrival Details

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Backdoor adds the following folders:

  • %System Root%\RECYCLER
  • %Windows%\AppPatch
  • %Windows%\AppPatch\Custom
  • %Program Files%\FONDQXIMSYHLISNDBCFPGGQDFFXNKBARIRJH\FONDQXIMSYHLISNDBCFPGGQDFFXNKBARIRJH

(Note: %System Root% is the Windows root folder, where it usually is C:\ on all Windows operating system versions.. %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.. %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000(32-bit), Server 2003(32-bit), XP, Vista(64-bit), 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit) , or C:\Program Files (x86) in Windows XP(64-bit), Vista(64-bit), 7(64-bit), 8(64-bit), 8.1(64-bit), 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It drops the following files:

  • %Windows%\AppPatch\Ke583427.xsl → shellcode detected as Trojan.Win32.FUPORPLEX.ENC
  • One of the following: → winupdate32.log (if OS is x32), winupdate64.log (if OS is x64)
    • %Windows%\sens.dll
    • %Windows%\cscdll.dll
  • One of the following:
    • %Windows%\AppPatch\Acpsens.dll → copy of legit %Windows%\sens.dll
    • %Windows%\AppPatch\Acpcscdll.dll → copy of legit %Windows%\cscdll.dll
  • %Windows%\AppPatch\Ke{6 random numbers}.xsl → copy of %Windows%\AppPatch\Ke583427.xsl
  • %Windows%\AppPatch\Ac{Characters based on C: volume serial number}.sdb → copy of %Windows%\AppPatch\Ke583427.xsl
  • %Windows%\AppPatch\Custom\{7 random characters}.tmp → copies of its components
  • %System%\Ms{Characters based on C: volume serial number}App.dll → detected as Trojan.Win32.FUPORPLEX.AF
  • %System%\drivers\dump_{random hex strings}.sys

It adds the following processes:

  • netsh interface ipv6 install
  • netsh ipsec static add policy name=qianye
  • netsh ipsec static add filterlist name=Filter1
  • netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP
  • netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP
  • netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP
  • netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP
  • netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP
  • netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP
  • netsh ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=21 protocol=TCP
  • netsh ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=2222 protocol=TCP
  • netsh ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=3333 protocol=TCP
  • netsh ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=4444 protocol=TCP
  • netsh ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=5555 protocol=TCP
  • netsh ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=6666 protocol=TCP
  • netsh ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=7777 protocol=TCP
  • netsh ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=8443 protocol=TCP
  • netsh ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=8888 protocol=TCP
  • netsh ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=9000 protocol=TCP
  • netsh ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=9999 protocol=TCP
  • netsh ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=14443 protocol=TCP
  • netsh ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=14444 protocol=TCP
  • netsh ipsec static add filteraction name=FilteraAtion1 action=block
  • netsh ipsec static add rule name=Rule1 policy=qianye filterlist=Filter1 filteraction=FilteraAtion1
  • netsh ipsec static set policy name=qianye assign=y
  • %System%\svchost.exe -k NetworkService
  • %System%\svchost.exe -k LocalService

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

Other System Modifications

This Backdoor deletes the following files:

  • One of the following:
    • %Windows%\AppPatch\Acpsens.dll
    • %Windows%\AppPatch\Acpcscdll.dll
  • One of the following:
    • %Windows%\sens.dll
    • %Windows%\cscdll.dll
  • %System%\Ms{Characters based on C: volume serial number}App.dll
  • %System%\ms{random characters}es{3 random characters}
  • %System%\ms{random characters}ex{3 random characters}
  • %Windows%\ms{random characters}es{3 random characters}
  • %Windows%\ms{random characters}ex{3 random characters}
  • %Windows%\{7 random characters}.tmp
  • .m{2 random characters} files in %Windows%\AppPatch\Custom\
  • .mow files in %Windows%\AppPatch\Custom\
  • .tmp files in %Windows%\AppPatch\Custom\
  • .tmp files in %Windows%\AppPatch\
  • .xsl files in %Windows%\AppPatch\

(Note: %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.. %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

It deletes the following folders:

  • %System Root%\RECYCLER

(Note: %System Root% is the Windows root folder, where it usually is C:\ on all Windows operating system versions.)

It adds the following registry entries:

HKEY_LOCAL_MACHINE\Software\SoundResearch
UpdaterLastTimeChecked1 = 1

HKEY_LOCAL_MACHINE\Software\SoundResearch
UpdaterLastTimeChecked2 = 2

HKEY_LOCAL_MACHINE\Software\SoundResearch
UpdaterLastTimeChecked3 = 3

HKEY_LOCAL_MACHINE\Software\Microsoft\
DirectPlay8\Direct3D
{hex values} = {hex values}

HKEY_LOCAL_MACHINE\SYSTEM\{ControlSet001 or CurrentControlSet}\
services\Ms{Characters based on C: volume serial number}App
Type = 32

HKEY_LOCAL_MACHINE\SYSTEM\{ControlSet001 or CurrentControlSet}\
services\Ms{Characters based on C: volume serial number}App
Start = 2

HKEY_LOCAL_MACHINE\SYSTEM\{ControlSet001 or CurrentControlSet}\
services\Ms{Characters based on C: volume serial number}App
ErrorControl = 1

HKEY_LOCAL_MACHINE\SYSTEM\{ControlSet001 or CurrentControlSet}\
services\Ms{Characters based on C: volume serial number}App
DependOnService = FltMgr

HKEY_LOCAL_MACHINE\SYSTEM\{ControlSet001 or CurrentControlSet}\
services\Ms{Characters based on C: volume serial number}App
DisplayName = Ms{Characters based on C: volume serial number}App

HKEY_LOCAL_MACHINE\SYSTEM\{ControlSet001 or CurrentControlSet}\
services\Ms{Characters based on C: volume serial number}App
Description = Ms{Characters based on C: volume serial number}App

HKEY_LOCAL_MACHINE\SYSTEM\{ControlSet001 or CurrentControlSet}\
services\Ms{Characters based on C: volume serial number}App
ObjectName = LocalSystem

HKEY_LOCAL_MACHINE\SYSTEM\{ControlSet001 or CurrentControlSet}\
services\Ms{Characters based on C: volume serial number}App
Group = UIGroup

HKEY_LOCAL_MACHINE\SYSTEM\{ControlSet001 or CurrentControlSet}\
services\Ms{Characters based on C: volume serial number}App\Parameters
ServiceMain = ServiceMain

HKEY_LOCAL_MACHINE\SYSTEM\{ControlSet001 or CurrentControlSet}\
services\Ms{Characters based on C: volume serial number}App\Parameters
ServiceDll = %System%\Ms{Characters based on C: volume serial number}App.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Svchost
netsvcs = {add "Ms{Characters based on C: volume serial number}App" among the list}

HKEY_LOCAL_MACHINE\SYSTEM\{ControlSet001 or CurrentControlSet}\
services\Ms{Characters based on C: volume serial number}App
ImagePath = %System%\svchost.exe -k netsvcs

Propagation

This Backdoor does not have any propagation routine.

Rootkit Capabilities

This Backdoor hides files, processes, and/or registry entries.

Information Theft

This Backdoor gathers the following data:

  • Current Date
  • MAC Address
  • System's service pack
  • Volume Serial-ID

Other Details

This Backdoor adds the following registry keys:

HKEY_LOCAL_MACHINE\Software\SoundResearch

HKEY_LOCAL_MACHINE\Software\Microsoft\
DirectPlay8\Direct3D

HKEY_LOCAL_MACHINE\SYSTEM\{ControlSet001 or CurrentControlSet}\
services\Ms{Characters based on C: volume serial number}App

HKEY_LOCAL_MACHINE\SYSTEM\{ControlSet001 or CurrentControlSet}\
services\Ms{Characters based on C: volume serial number}App\Parameters

It does not exploit any vulnerability.

NOTES:

It does the following:

  • Disables Windows Defender's Antispyware by changing/adding the following registry entries:
    • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender
      • DisableAntiSpyware = 1
    • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows Defender
      • DisableAntiSpyware = 1
  • Disables Windows File Protection by changing/adding the following registry entries:
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
      • SFCDisable = 4 → Enabled, but popups are disabled
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
      • SFCScan = 0 → Disables scan of protected files at boot
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
      • AllowProtectedRenames = 1
  • Prompts user to restart the machine after its installation:
  • Ensures the auto-start of its driver and DLL components even in safe mode by adding the following registry keys and entries:
    • HKEY_LOCAL_MACHINE\SYSTEM\{ControlSet001 or CurrentControlSet}\Control\SafeBoot\Minimal\Ms{Characters based on C: volume serial number}App
      • (Default) = Service
    • HKEY_LOCAL_MACHINE\SYSTEM\{ControlSet001 or CurrentControlSet}\Control\SafeBoot\Network\Ms{Characters based on C: volume serial number}App
      • (Default) = Service
    • HKEY_LOCAL_MACHINE\{ControlSet001 or CurrentControlSet}\Control\SafeBoot\Minimal\dump_{random hex}
      • (Default) = Service
    • HKEY_LOCAL_MACHINE\{ControlSet001 or CurrentControlSet}\Control\SafeBoot\Network\dump_{random hex}
      • (Default) = Service
  • The added process "svchost.exe -k LocalService" acts as watchdog for "svchost.exe -k NetworkService" and vise-versa.
  • Loads shellcode into its memory by searching for the following files:
    • %System%\svchost.exe -k LocalService:
      • %Windows%\AppPatch\Ac{8 random characters}.sdb
      • %Windows%\AppPatch\Ke{6 random characters}.xsl
    • %System%\svchost.exe -k NetworkService:
      • %Windows%\AppPatch\Custom\{random hex}.moe
      • %Windows%\AppPatch\Custom\{random hex}.mow
  • Does not proceed to its payload if current process is not "winlogon.exe" or "svchost.exe".
  • Accesses the following URLs to get actual time:
    • time.windows.com
    • www.microsoft.com
    • www.baidu.com
  • Accesses the following URLs to download different modules:
    • {BLOCKED}.{BLOCKED}.75.9:18035/{random hex}.moe
    • {BLOCKED}.{BLOCKED}.206.5:14874/{random hex}.moe
    • {BLOCKED}.{BLOCKED}.3.130:12314/{random hex}.moe
    • {BLOCKED}.{BLOCKED}.32.126:11946/{random hex}.moe
    • {BLOCKED}.{BLOCKED}.200.63:18126/{random hex}.moe
    • {BLOCKED}.{BLOCKED}.194.121:11532/{random hex}.moe
    • {BLOCKED}.{BLOCKED}.55.7:18488/{random hex}.moe
    • {BLOCKED}.{BLOCKED}.154.13:11605/{random hex}.moe
    • {BLOCKED}.{BLOCKED}.191.22:19400/{random hex}.moe
    • {BLOCKED}.{BLOCKED}.125.106:20187/{random hex}.moe
    • {BLOCKED}.{BLOCKED}.79.174:16509/{random hex}.moe
    • {BLOCKED}.{BLOCKED}.0.101:19667/{random hex}.moe
    • {BLOCKED}.{BLOCKED.107.227:17280/{random hex}.moe
    • {BLOCKED}.{BLOCKED.194.245:17859/{random hex}.moe
    • {BLOCKED}.{BLOCKED.218.214:16884/{random hex}.moe
    • {BLOCKED}.{BLOCKED.184.43:12424/{random hex}.moe
    • {BLOCKED}.{BLOCKED}.92.174:16514/{random hex}.moe
    • {BLOCKED}.{BLOCKED}.145.190:18049/{random hex}.moe
    • {BLOCKED}.{BLOCKED}.189.42:12147/{random hex}.moe
    • {BLOCKED}.{BLOCKED}.50.202:19150/{random hex}.moe
    • {BLOCKED}.{BLOCKED}.150.2:19955/{random hex}.moe
    • {BLOCKED}.{BLOCKED}.165.80:17740/{random hex}.moe
    • {BLOCKED}.{BLOCKED}.16.32:19214/{random hex}.moe
    • {BLOCKED}.{BLOCKED}.31.157:14881/{random hex}.moe
    • {BLOCKED}.{BLOCKED}.34.20:17171/{random hex}.moe
    • {BLOCKED}.{BLOCKED}.188.205:19486/{random hex}.moe
    • {BLOCKED}.{BLOCKED}.80.72:16950/{random hex}.moe
    • {BLOCKED}.{BLOCKED}.201.102:19836/{random hex}.moe
    • {BLOCKED}.{BLOCKED}.20.37:10538/{random hex}.moe
    • {BLOCKED}.{BLOCKED}.13.4:10395/{random hex}.moe
    • {BLOCKED}.{BLOCKED}.80.115:10922/{random hex}.moe
    • {BLOCKED}.{BLOCKED}.55.41:11713/{random hex}.moe
    • {BLOCKED}.{BLOCKED}.94.196:18598/{random hex}.moe
    • {BLOCKED}.{BLOCKED}.106.233:17470/{random hex}.moe
    • {BLOCKED}.{BLOCKED}.86.137:13008/{random hex}.moe
    • {BLOCKED}.{BLOCKED}.81.106:20171/{random hex}.moe
    • {BLOCKED}.{BLOCKED}.196.152:14469/{random hex}.moe
    • {BLOCKED}.{BLOCKED}.64.170:16125/{random hex}.moe
  • Downloaded modules are saved as %Windows%\AppPatch\Custom\{random hex}.moe
  • It adds the following mutex to avoid re-running certain malicious routines:
    • Global\RunWord{random characters} → for shellcode routine
    • Global\{Characters based on C: volume serial number}CSS → for registry creation routine
    • Global\{Characters based on C: volume serial number}SetServiceX → for "%System%\svchost.exe -k LocalService" process execution routine
    • Global\{Characters based on C: volume serial number}SetService → for "%System%\svchost.exe -k LocalService" process execution routine
    • Global\{Characters based on C: volume serial number}AppService → for "%System%\svchost.exe -k NetworkService" process execution routine

  SOLUTION

Minimum Scan Engine:

9.850

FIRST VSAPI PATTERN FILE:

15.882.04

FIRST VSAPI PATTERN DATE:

21 May 2020

VSAPI OPR PATTERN File:

15.883.00

VSAPI OPR PATTERN Date:

22 May 2020

Step 1

Trend Micro Predictive Machine Learning detects and blocks malware at the first sign of its existence, before it executes on your system. When enabled, your Trend Micro product detects this malware under the following machine learning name:

  • Troj.Win32.TRX.XXPE50FFF035

Step 2

Before doing any scans, Windows 7, Windows 8, Windows 8.1, and Windows 10 users must disable System Restore to allow full scanning of their computers.

Step 3

Note that not all files, folders, and registry keys and entries are installed on your computer during this malware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system conditions. If you do not find the same files/folders/registry information, please proceed to the next step.

Step 4

Delete this registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

 
  • In HKEY_LOCAL_MACHINE\Software\SoundResearch
    • UpdaterLastTimeChecked1 = 1
  • In HKEY_LOCAL_MACHINE\Software\SoundResearch
    • UpdaterLastTimeChecked2 = 2
  • In HKEY_LOCAL_MACHINE\Software\SoundResearch
    • UpdaterLastTimeChecked3 = 3
  • In HKEY_LOCAL_MACHINE\Software\Microsoft\DirectPlay8\Direct3D
    • {hex values} = {hex values}
  • In HKEY_LOCAL_MACHINE\SYSTEM\{ControlSet001 or CurrentControlSet}\services\Ms{Characters based on C: volume serial number}App
    • Type = 32
  • In HKEY_LOCAL_MACHINE\SYSTEM\{ControlSet001 or CurrentControlSet}\services\Ms{Characters based on C: volume serial number}App
    • Start = 2
  • In HKEY_LOCAL_MACHINE\SYSTEM\{ControlSet001 or CurrentControlSet}\services\Ms{Characters based on C: volume serial number}App
    • ErrorControl = 1
  • In HKEY_LOCAL_MACHINE\SYSTEM\{ControlSet001 or CurrentControlSet}\services\Ms{Characters based on C: volume serial number}App
    • DependOnService = FltMgr
  • In HKEY_LOCAL_MACHINE\SYSTEM\{ControlSet001 or CurrentControlSet}\services\Ms{Characters based on C: volume serial number}App
    • DisplayName = Ms{Characters based on C: volume serial number}App
  • In HKEY_LOCAL_MACHINE\SYSTEM\{ControlSet001 or CurrentControlSet}\services\Ms{Characters based on C: volume serial number}App
    • Description = Ms{Characters based on C: volume serial number}App
  • In HKEY_LOCAL_MACHINE\SYSTEM\{ControlSet001 or CurrentControlSet}\services\Ms{Characters based on C: volume serial number}App
    • ObjectName = LocalSystem
  • In HKEY_LOCAL_MACHINE\SYSTEM\{ControlSet001 or CurrentControlSet}\services\Ms{Characters based on C: volume serial number}App
    • ImagePath = %SystemRoot%\system32\svchost.exe -k netsvcs
  • In HKEY_LOCAL_MACHINE\SYSTEM\{ControlSet001 or CurrentControlSet}\services\Ms{Characters based on C: volume serial number}App
    • Group = UIGroup
  • In HKEY_LOCAL_MACHINE\SYSTEM\{ControlSet001 or CurrentControlSet}\services\Ms{Characters based on C: volume serial number}App\Parameters
    • ServiceMain = ServiceMain
  • In HKEY_LOCAL_MACHINE\SYSTEM\{ControlSet001 or CurrentControlSet}\services\Ms{Characters based on C: volume serial number}App\Parameters
    • ServiceDll = %System%\Ms{Characters based on C: volume serial number}App.dll
  • In HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender
    • DisableAntiSpyware = 1
  • In HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows Defender
    • DisableAntiSpyware = 1
  • In HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
    • SFCDisable = 4
  • In HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
    • SFCScan = 0
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
    • AllowProtectedRenames = 1
  • In HKEY_LOCAL_MACHINE\SYSTEM\{ControlSet001 or CurrentControlSet}\Control\SafeBoot\Minimal\Ms{Characters based on C: volume serial number}App
    • (Default) = Service
  • In HKEY_LOCAL_MACHINE\SYSTEM\{ControlSet001 or CurrentControlSet}\Control\SafeBoot\Network\Ms{Characters based on C: volume serial number}App
    • (Default) = Service
  • In HKEY_LOCAL_MACHINE\{ControlSet001 or CurrentControlSet}\Control\SafeBoot\Minimal\dump_{random hex strings}
    • (Default) = Service
  • In HKEY_LOCAL_MACHINE\{ControlSet001 or CurrentControlSet}\Control\SafeBoot\Network\dump_{random hex strings}
    • (Default) = Service

Step 5

Delete this registry key

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_LOCAL_MACHINE\Software\SoundResearch
    • HKEY_LOCAL_MACHINE\Software\Microsoft\DirectPlay8\Direct3D\
  • In HKEY_LOCAL_MACHINE\SYSTEM\{ControlSet001 or CurrentControlSet}\services\Ms{Characters based on C: volume serial number}App
    • HKEY_LOCAL_MACHINE\SYSTEM\{ControlSet001 or CurrentControlSet}\services\Ms{Characters based on C: volume serial number}App\Parameters
  • In HKEY_LOCAL_MACHINE\SYSTEM\{ControlSet001 or CurrentControlSet}\Control\SafeBoot\Minimal\Ms{Characters based on C: volume serial number}App
    • HKEY_LOCAL_MACHINE\SYSTEM\{ControlSet001 or CurrentControlSet}\Control\SafeBoot\Network\Ms{Characters based on C: volume serial number}App
  • In HKEY_LOCAL_MACHINE\{ControlSet001 or CurrentControlSet}\Control\SafeBoot\Minimal\dump_{random hex strings}
    • HKEY_LOCAL_MACHINE\{ControlSet001 or CurrentControlSet}\Control\SafeBoot\Network\dump_{random hex strings}

Step 6

Search and delete this file

[ Learn More ]
There may be some files that are hidden. Please make sure you check the Search Hidden Files and Folders checkbox in the "More advanced options" option to include all hidden files and folders in the search result.
  • %System%\Ms{Characters based on C: volume serial number}App.dll
  • %Windows%\AppPatch\Ac{Characters based on C: volume serial number}.sdb
  • %Windows%\AppPatch\Custom\{7 random characters}.tmp
  • %Windows%\AppPatch\Custom\{random hex strings}.moe
  • %Windows%\AppPatch\Ke{6 random numbers}.xsl
  • %System%\drivers\dump_{random hex strings}.sys

Step 7

Search and delete this folder

[ Learn More ]
Please make sure you check the Search Hidden Files and Folders checkbox in the More advanced options option to include all hidden folders in the search result.
  • %Program Files%\FONDQXIMSYHLISNDBCFPGGQDFFXNKBARIRJH\FONDQXIMSYHLISNDBCFPGGQDFFXNKBARIRJH
  • %System%\RECYCLER

Step 8

Restore this file from backup only Microsoft-related files will be restored. If this malware/grayware also deleted files related to programs that are not from Microsoft, please reinstall those programs on you computer again.

  • if %Windows%\AppPatch\Acpsens.dll exists:
    • restore %Windows%\sens.dll
  • if %Windows%\AppPatch\Acpcscdll.dll exists:
    • restore %Windows%\cscdll.dll

Step 9

Restore this modified registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

Remove "Ms{Characters based on C: volume serial number}App" among the list on the following registry entries:
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost
    • netsvcs = {a list of services}

Step 10

Scan your computer with your Trend Micro product to delete files detected as Backdoor.Win32.FUPORPLEX.B. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check the following Trend Micro Support pages for more information:

NOTES:

Note: Please do the following before Step 4.

Terminate this the malware's memory residency and watchdog routine using the process viewer, Process Explorer

To terminate the malware process(es):

  1. Download Process Explorer.
  2. Extract the contents of the compressed (ZIP) file to a location of your choice.
  3. Execute Process Explorer by right-clicking PROCEXP.EXE and select Run as administrator.
  4. In the Process Explorer window, locate the malware process:
    svchost.exe
  5. Right-click on the said process then choose Properties.
  6. Check if the value for the Command line is one of the following:
    %System%\\svchost.exe -k LocalService
    %System%\\svchost.exe -k NetworkService
  7. If yes, hover your cursor over the said process. Check if the information shown is similar to the following:
    • for %System%\\svchost.exe -k LocalService:

    • for %System%\\svchost.exe -k NetworkService:

    Note: There are legitimate processes that are very similar to the malware process. Ensure to check if the process identical to the image above.
  8. If yes, right-click on the malware process and choose Suspend.
  9. Repeat steps 6 to 9.
  10. After successfully suspending both the said process, right-click on the suspended processes and choose Kill Process Tree.
  11. Close Process Explorer.

Note: Please follow the steps below before the last step.

Remove the added Internet Protocol Security (IPsec) policy by the malware:

  1. Run Command Prompt as administrator
  2. Type the following commands:
    netsh ipsec static delete policy name=qianye


Did this description help? Tell us how we did.