BKDR_FLUXAY.A
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Backdoor
Destructiveness: No
Encrypted: No
In the wild: Yes
OVERVIEW
This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It does not have any propagation routine.
It does not drop any other file.
It does not have any downloading capability.
It does not have any information-stealing capability.
TECHNICAL DETAILS
Arrival Details
This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Propagation
This backdoor does not have any propagation routine.
Dropping Routine
This backdoor does not drop any other file.
Download Routine
This backdoor does not have any downloading capability.
Information Theft
This backdoor does not have any information-stealing capability.
NOTES:
This backdoor is composed of the following components:
- Pipecmdsrv.exe is the server backdoor which is installed on a victim machine and executes commands from the remote user.
- Pipecmd.exe installs the backdoor program and connects it to the remote machine.
- Ntcmd.exe is the malicious users interface where commands used on the remote system are entered.
Server Component
The server component is installed by the remote user as Pipecmdsrv.exe in the %Windows% system folder. It is installed as a service named PipeCmdSrv.
Once installed, it creates the following registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_PIPECMDSRV
Once the created service has started, it creates the following named pipes:
- \\.\pipe\PipeCmd_communication
- \\.\pipe\PipeCmd_stdin%s%d
- \\.\pipe\PipeCmd_stdout%s%d
- \\.\pipe\PipeCmd_stderr%s%d
The remote user communicates with the server by accessing these pipes and issues commands that include, but are not limited to, the following:
- upload any file, such as another backdoor malware, on the infected machine
- execute a file remotely
- read data or files from the infected machine
The server accepts any command such as dir c:\*.* and redirects it to the command shell, cmd.exe, for execution.
Client Component
The client component of the backdoor is composed of these two files:
- ntcmd.exe is the malicious user's interface where he may input his commands.
- pipecmd.exe is the file that connects to the remote infected machine and transmits the malicous user's commands. All commands entered into the interface (ntcmd.exe) are just redirected to pipecmd.exe.
The following parameters are required in order to establish the connection:
- IP address
- Username
- Password
- Command
This backdoor does not have rootkit capabilities.
This backdoor does not exploit any vulnerability.
SOLUTION
Step 1
For Windows XP and Windows Server 2003 users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.
Step 2
Restart in Safe Mode, and then delete this registry key
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
- In HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root
- LEGACY_PIPECMDSRV
- LEGACY_PIPECMDSRV
Step 3
Restart in normal mode and scan your computer with your Trend Micro product for files detected as BKDR_FLUXAY.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Did this description help? Tell us how we did.