Threat Description

Backdoor: W32/Knockex.A


Category: Malware
Type: Backdoor
Platform: W32
Aliases: Backdoor:W32/Knockex.A, Trojan-Dropper:W32/Knockex.A, Trojan-Downloader:W32/Knockex.A, Backdoor:W32/Knockex.A, Rootkit:W32/Knockex.A


A remote administration utility that bypasses normal security mechanisms to secretly control a program, computer or network.


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More scanning & removal options

More information on scanning or removal options is available in the documentation for your F-Secure security product on the Downloads section of our Home - Global site.

Contact Support

For further assistance, F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for more assistance.

Manual removal

To remove the installed adwares, uninstall the following programs from the Windows 'Add/Remove Programs' menu:

  • "Homepage Protection Service" - uninstaller of MYCLEARSEARCH-SETUP.EXE
  • "Inet Support Services" - uninstaller of INET.EXE
  • " BrowserSeek 1.0 build 171 powered by FIRST SEARCHBAR" - uninstaller of BRAND.EXE (as of this writing)

Technical Details

Backdoor:W32/Knockex.A is a backdoor program dropped as part of the payload of a Nullsoft installer (NSIS) program detected as Trojan-Dropper:W32/Knockex.A.

The Nullsoft installer contains the following sub-installers:

  • OfferApp-2529.exe - detected either as Trojan-Downloader:W32/Knockex.A or Gen:Variant.Kazy.17250
  • OfferApp-2526.exe - detected as Spyware:W32/Inet.B

These installers will themselves install multiple installers, which in turn install malware, adware and spyware programs. Among the installed programs is Backdoor:w32/Knockex.A.

First Installer Dropped - OfferApp-2529.exe

As of this writing, the first installer dropped by Trojan-Dropper:W32/Knockex.A, OfferApp-2529.exe, downloads and executes a backdoor with rootkit capabilities. The backdoor is detected either as Backdoor:W32/Knockex.A or Trojan.Generic.KDV.171682.

Upon execution, the backdoor program drops the following files:

  • %systemdir%\cssrss.exe A copy of the downloaded backdoor program.
  • %systemdir%\nso12k.sys A rookit driver (detected either as Rootkit:W32/Knockex.A or Trojan.Downloader.Agent.ZBU) that hides the backdoor program

The backdoor program uses the following launch points:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "WMDM PMSP Service" = %systemdir%\cssrss.exe
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Driver - service launch point of nso12k.sys
Second Installer Dropped - OfferApp-2526.exe

At the same time the OfferApp-2529.exe file is downloading and executing the backdoor, the second installer file, OfferApp-2526.exe, is executing the following installers:

  • myclearsearch-setup.exeInstaller of MyWebSearch/CreativeToolbar AdwareDetected as Adware:W32/MyWebSearch.AG
  • inet.exeInstaller of iNetMedia AdwareDetected either as Spyware:W32/Inet.A or Spyware.14597
  • brand.exe Web Installer/downloader of BrowserSeek/Zwangi AdwareDetected as Adware:W32/Zwangi.O

When the installers listed are executed, their payloads are installed as separate, independent programs.

Second level of installers from OfferApp-2526.exe

myclearsearch-setup.exe The myclearsearch-setup.exe file drops the following components:

  • %programdir%\MyClearSearch\MyClearSearchSvc.exe - detected as Adware:W32/MyWebSearch.AF
  • %programdir%\MyClearSearch\ShowMsg.exe - detected as Adware:W32/MyWebSearch.AH
  • %programdir%\MyClearSearch\uninstall.exe - uninstaller component.

The myclearsearch-setup.exe file then creates the following service launch point:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MyClearSearch Helper Service

And also creates the following registry keys:

  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Homepage Protection Service

During installation, the program will also modify the start page for the Internet Explorer web browser:

  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Start Page" = ""


When OfferApp-2526.exe is executed, it instructs the inet.exe file installer to download a file from a remote site and install it to the path "C:\Program". During this process, the installer creates the following service launch point:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\inetUpServ

It will also create a (functional) uninstallation setting:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\inet


Brand.exe is an installer that downloads its own components from a remote site. At the time of writing, the file downloads the following components:

  • %programdir%\BrowserSeek\browserseek.dll
  • %programdir%\BrowserSeek\browserseek.exe
  • %programdir%\BrowserSeek\uninstall.exe

It creates the following service launch point:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BrowserSeek Service

And also creates the following registry keys:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BrowserSeek


Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More