Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


Backdoor:W32/Knockex.A


Aliases:


Backdoor:W32/Knockex.A
Trojan-Dropper:W32/Knockex.A
Trojan-Downloader:W32/Knockex.A
Backdoor:W32/Knockex.A
Rootkit:W32/Knockex.A

Malware
Backdoor
W32

Summary

A remote administration utility that bypasses normal security mechanisms to secretly control a program, computer or network.



Disinfection & Removal

To remove the backdoor program and other malwares, Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.

To remove the installed adwares, uninstall the following programs from the Windows 'Add/Remove Programs' menu:

  • "Homepage Protection Service" - uninstaller of MYCLEARSEARCH-SETUP.EXE
  • "Inet Support Services" - uninstaller of INET.EXE
  • " BrowserSeek 1.0 build 171 powered by FIRST SEARCHBAR" - uninstaller of BRAND.EXE (as of this writing)


Technical Details

Backdoor:W32/Knockex.A is a backdoor program dropped as part of the payload of a Nullsoft installer (NSIS) program detected as Trojan-Dropper:W32/Knockex.A.

The Nullsoft installer contains the following sub-installers:

  • OfferApp-2529.exe - detected either as Trojan-Downloader:W32/Knockex.A or Gen:Variant.Kazy.17250
  • OfferApp-2526.exe - detected as Spyware:W32/Inet.B

These installers will themselves install multiple installers, which in turn install malware, adware and spyware programs. Among the installed programs is Backdoor:w32/Knockex.A.


First Installer Dropped - OfferApp-2529.exe

As of this writing, the first installer dropped by Trojan-Dropper:W32/Knockex.A, OfferApp-2529.exe, downloads and executes a backdoor with rootkit capabilities. The backdoor is detected either as Backdoor:W32/Knockex.A or Trojan.Generic.KDV.171682.

Upon execution, the backdoor program drops the following files:

  • %systemdir%\cssrss.exe A copy of the downloaded backdoor program.
  • %systemdir%\nso12k.sys A rookit driver (detected either as Rootkit:W32/Knockex.A or Trojan.Downloader.Agent.ZBU) that hides the backdoor program

The backdoor program uses the following launch points:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "WMDM PMSP Service" = %systemdir%\cssrss.exe
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Driver - service launch point of nso12k.sys

Second Installer Dropped - OfferApp-2526.exe

At the same time the OfferApp-2529.exe file is downloading and executing the backdoor, the second installer file, OfferApp-2526.exe, is executing the following installers:

  • myclearsearch-setup.exeInstaller of MyWebSearch/CreativeToolbar AdwareDetected as Adware:W32/MyWebSearch.AG
  • inet.exeInstaller of iNetMedia AdwareDetected either as Spyware:W32/Inet.A or Spyware.14597
  • brand.exe Web Installer/downloader of BrowserSeek/Zwangi AdwareDetected as Adware:W32/Zwangi.O

When the installers listed are executed, their payloads are installed as separate, independent programs.


Second level of installers from OfferApp-2526.exe

myclearsearch-setup.exe The myclearsearch-setup.exe file drops the following components:

  • %programdir%\MyClearSearch\MyClearSearchSvc.exe - detected as Adware:W32/MyWebSearch.AF
  • %programdir%\MyClearSearch\ShowMsg.exe - detected as Adware:W32/MyWebSearch.AH
  • %programdir%\MyClearSearch\uninstall.exe - uninstaller component.

The myclearsearch-setup.exe file then creates the following service launch point:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MyClearSearch Helper Service

And also creates the following registry keys:

  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes
  • HKEY_LOCAL_MACHINE\SOFTWARE\MyClearSearch
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Homepage Protection Service

During installation, the program will also modify the start page for the Internet Explorer web browser:

  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Start Page" = "http://myclearsearch.com/"

inet.exe

When OfferApp-2526.exe is executed, it instructs the inet.exe file installer to download a file from a remote site and install it to the path "C:\Program". During this process, the installer creates the following service launch point:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\inetUpServ

It will also create a (functional) uninstallation setting:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\inet

Brand.exe

Brand.exe is an installer that downloads its own components from a remote site. At the time of writing, the file downloads the following components:

  • %programdir%\BrowserSeek\browserseek.dll
  • %programdir%\BrowserSeek\browserseek.exe
  • %programdir%\BrowserSeek\uninstall.exe

It creates the following service launch point:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BrowserSeek Service

And also creates the following registry keys:

  • HKEY_LOCAL_MACHINE\SOFTWARE\BrowserSeek
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BrowserSeek






Submit a sample




Wondering if a file or URL is malicious? Submit a sample to our Lab for analysis via the Sample Analysis System (SAS)

Give And Get Advice




Give advice. Get advice. Share the knowledge on our free discussion forum.

Scan and clean your PC




F-Secure Online Scanner will scan and clean your PC in just a few minutes for free