F-Secure Virus Descriptions : Backdoor.IE_Patch
The 'Backdoor.IE_Patch' was first reported in March 1999. The
PHO.EXE is originally used to spread the backdoor (i.e. hacker's
remote access tool) files, but the file name could be different.
The dropper is pretending to be a broken self-extracting ZIP
archive. It even has a WinZip archive icon. When PHO.EXE file is
run it displays a messagebox with the following text:
WinZip
Cannot open file: it does not apear to be a valid archive.
If you downloaded this file, try downloading the file again.
Please press F1 for help.
At the same time the dropper writes 3 files to \WINDOWS\SYSTEM
directory: ADVAPI.DLL, ADVAPI32.EXE and ADVCCAPI.DLL. Then the
dropper modifies SYSTEM.INI file. It adds a string 'ADVAPI.DLL'
to 'DRIVERS=' string, so that ADVAPI.DLL will be run during next
Windows startup.
Actually ADVAPI.DLL is only used to start ADVAPI32.EXE that will
remain active all Windows session. This file is the server part
of IE_Patch backdoor. It provides access to infected system for
hackers having the client part of this backdoor.
Capabilities of IE_Patch backdoor include sending and receiving
data (files), monitoring of existing application windows,
listening to keystrokes. The backdoor has an empty e-mail form
inside.
[Analysis: Alexey Podrezov, F-Secure]
|
![](/images/pixel.gif"){kind=tracking}
