PHP_ARHYSHEL.CQJ
Backdoor:PHP/SimpleShell.A (Microsoft)
Windows
![](/vinfo/imgFiles/legend.jpg)
Threat Type: Backdoor
Destructiveness: No
Encrypted: Yes
In the wild: Yes
OVERVIEW
Downloaded from the Internet
This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It may be hosted on a website and run when a user accesses the said website.
It executes commands from a remote malicious user, effectively compromising the affected system.
It retrieves specific information from the affected system.
TECHNICAL DETAILS
4023 bytes
GIF
Yes
14 Jul 2015
Steals information
Arrival Details
This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It may be hosted on a website and run when a user accesses the said website.
Backdoor Routine
This backdoor executes the following commands from a remote malicious user:
- download component file
- execute downloaded component file
- download arbitrary file
- execute arbitrary command
- get local php configuration file
- get local list of files
Information Theft
This backdoor accepts the following parameters:
- URL to send and receive information
- directory for downloaded file
It retrieves the following information from the affected system:
- user id
- group id
- current user
- OS Version
Stolen Information
This backdoor sends the data it gathers to the following email addresses via SMTP:
- {BLOCKED}ex8@gmail.com
SOLUTION
9.750
11.924.03
17 Sep 2015
Step 1
Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.
Step 2
Scan your computer with your Trend Micro product to delete files detected as PHP_ARHYSHEL.CQJ. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Did this description help? Tell us how we did.