Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


Backdoor.IE_Patch


Aliases:


Backdoor.IE_Patch
PHO.EXE

Malware

W32

Summary

The 'Backdoor.IE_Patch' was first reported in March 1999. The PHO.EXE is originally used to spread the backdoor (i.e. hacker's remote access tool) files, but the file name could be different. The dropper is pretending to be a broken self-extracting ZIP archive. It even has a WinZip archive icon.



Disinfection & Removal

Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details

When PHO.EXE file is run it displays a messagebox with the following text:

WinZip
 Cannot open file: it does not apear to be a valid archive.
 If you downloaded this file, try downloading the file again.
 Please press F1 for help.

At the same time the dropper writes 3 files to \WINDOWS\SYSTEM directory: ADVAPI.DLL, ADVAPI32.EXE and ADVCCAPI.DLL. Then the dropper modifies SYSTEM.INI file. It adds a string 'ADVAPI.DLL' to 'DRIVERS=' string, so that ADVAPI.DLL will be run during next Windows startup.

Actually ADVAPI.DLL is only used to start ADVAPI32.EXE that will remain active all Windows session. This file is the server part of IE_Patch backdoor. It provides access to infected system for hackers having the client part of this backdoor.

Capabilities of IE_Patch backdoor include sending and receiving data (files), monitoring of existing application windows, listening to keystrokes. The backdoor has an empty e-mail form inside.





Technical Details: Alexey Podrezov, F-Secure



Submit a sample




Wondering if a file or URL is malicious? Submit a sample to our Lab for analysis via the Sample Analysis System (SAS)

Give And Get Advice




Give advice. Get advice. Share the knowledge on our free discussion forum.