Arrival Details

This backdoor may be dropped by other malware or downloaded from remote sites.

Installation

This backdoor drops the following files:

• %User Temp%\svcghost.exe - also detected as BKDR_IRCBOT.RB
• %Current Folder%\image.jpg - non-malicious file
• %Current Folder%\temp_.txt - non-malicious file

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003. %Current Folder% is the folder where the malware executes. )

Autostart Technique

This backdoor creates the following registry entry(ies) to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run
Master = "%User Temp%\svcghost.exe"

Other System Modifications

This backdoor creates the following registry entry to bypasss the Windows firewall:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\FirewallPolicy\
StandardProfile\AuthorizedApplications\List
%User Temp%\svcghost.exe="%User Temp%\svcghost.exe:*:Enabled:Master"

It creates the following registry key as part of its installation routine :

HKEY_CLASSES_ROOT\WR

It also modifies the following registry entries:

HKEY_CLASSES_ROOT\.htc
Content Type = " x64stable"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.htc
Content Type = " x64stable"

(Note: The default value for the mentioned entries is text/x-component.)

Backdoor Capabilities

This backdoor connects to the IRC server Elena.ccpower.ru and joins the IRC channel #.nigger.

It then executes the following command(s) from a remote malicious user:

• Flush DNS
• Modify clipboard data
• Start or End processes

Download Routine

This backdoor accesses the following URLs to download malicious files:

• http://www.{BLOCKED}ight.com/wz.exe - detected as TROJ_DLOADER.BQK
• http://{BLOCKED}.a1423.wrs.mcboo.com/17pholmes.cmt - detected as TROJ_DLOADER.CSZ

Affected Platforms

This backdoor runs on Windows XP.

MANUAL REMOVAL INSTRUCTIONS

Important Windows XP Cleaning Instructions

Users running Windows XP must disable System Restore to allow full scanning of infected computers.

Users running other Windows versions can proceed with the succeeding solution set(s).

Restarting in Safe Mode

This malware has characteristics that require the computer to be restarted in safe mode. Go to this page for instructions on how to restart your computer in safe mode.

Removing Autostart Entries from the Registry

This solution deletes/modifies registry keys/entries added/modified by this malware. Before performing the steps below, make sure you know how to back up the registry and how to restore it if a problem occurs. Refer to this Microsoft article for more information about modifying your computer's registry.

1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
2. In the left panel, double-click the following:
   HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows>CurrentVersion>
   Run
   
3. In the right panel, locate and delete the entry:
   Master = "%User Temp%\svcghost.exe"
   (Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)

Removing Other Malware Entries from the Registry

This solution deletes/modifies registry keys/entries added/modified by this malware. Before performing the steps below, make sure you know how to back up the registry and how to restore it if a problem occurs. Refer to this Microsoft article for more information about modifying your computer's registry.

1. Still in the Registry Editor, in the left panel, double-click the following:
   HKEY_CLASSES_ROOT
2. Still in the left panel, locate and delete the key:
   WR
3. Still in the left panel, double-click the following:
   HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>
   Services>SharedAccess>Parameters>FirewallPolicy
   StandardProfile>AuthorizedApplications>List
4. In the right panel, locate and delete the entry:
   %User Temp%\svcghost.exe="%User Temp%\svcghost.exe:*:Enabled:Master"

Restoring Modified Registry Entries

This solution deletes/modifies registry keys/entries added/modified by this malware. Before performing the steps below, make sure you know how to back up the registry and how to restore it if a problem occurs. Refer to this Microsoft article for more information about modifying your computer's registry.

1. Still in Registry Editor, in the left panel, double-click the following:
   HKEY_CLASSES_ROOT>.htc
2. In the right panel, locate the entry:
   Content Type = " x64stable"
3. Right-click on the value name and choose Modify. Change the value data of this entry to:
   text/x-component
4. In the left panel, double-click the following:
   HKEY_LOCAL_MACHINE>SOFTWARE>Classes>.htc
5. In the right panel, locate the entry:
   Content Type = " x64stable"
6. Right-click on the value name and choose Modify. Change the value data of this entry to:
   text/x-component
7. Close Registry Editor.

Deleting the Malware File(s)

1. Right-click Start then click Search... or Find..., depending on the version of Windows you are running.
2. In the Named input box, type:
   %Current Folder%\image.jpg
   (%Current Folder% is the folder where the malware executes. )
3. In the Look In drop-down list, select the drive that contains Windows, then press Enter.
4. Once located, select the file then press SHIFT+DELETE.
5. Repeat steps 2-4 for the following file(s):
   %Current Folder%\temp_.txt