Troj/Bckdr-QIB

Category: Viruses and SpywareProtection available since:04 May 2007 00:00:00 (GMT)
Type: TrojanLast Updated:04 May 2007 00:00:00 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Troj/Bckdr-QIB is a Trojan for the Windows platform.

Troj/Bckdr-QIB includes functionality to access the internet and communicate with a remote server via HTTP.

When first run Troj/Bckdr-QIB copies itself to <System>\smcmcr.exe and creates the following files:

<System>\drivers\symvcs.sys
<System>\hmlscr.dll
<System>\msctp.dll
<System>\perfc3460.dat
<System>\perfc4895.dat

The file symvcs.sys is detected as Troj/Haxdor-Fam.

The file hmlscr.dll is also detected as Troj/Bckdr-QIB.

The files msctp.dll, perfc3460.dat and perfc4895.dat can be safely removed.

The following registry entry is created to run smcmcr.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
1
<System>\smcmcr.exe

The file symvcs.sys is registered as a new system driver service named "VISSV", with a display name of "VISSV" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\VISSV

The following registry entries are set, affecting internet security:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
%windir%\system32\ctfmon.exe
%windir%\system32\ctfmon.exe:*:Enabled:Microsoft Media Service Helper

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
%windir%\system32\mplay32.exe
%windir%\system32\mplay32.exe:*:Enabled:Microsoft Media Player

The following registry entry is set:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs
<System>\hmlscr.dll

Registry entries are created under:

HKCU\Software\Microsoft\CTF
HKCU\Software\Microsoft\Media Player\Options