Virus:BDS/PcClient.JG
Date discovered:25/12/2005
Type:Backdoor Server
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:46.439 Bytes
MD5 checksum:831b22781ea5f2683cf8468f489065c0
VDF version:6.33.00.64

 General Method of propagation:
   • No own spreading routine


Alias:
   •  Bitdefender: Backdoor.PcClient.HP


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops malicious files
   • Records keystrokes
   • Registry modification
   • Steals information
   • Third party control

 Files It deletes the initially executed copy of itself.



The following files are created:

%SYSDIR%\mesqrilw.dll Further investigation pointed out that this file is malware, too. Detected as: BDS/PcClient.hp.1.B

%SYSDIR%\mesqrilw.drv Further investigation pointed out that this file is malware, too. Detected as: BDS/PcClient.kf.1

%SYSDIR%\drivers\mesqrilw.sys Further investigation pointed out that this file is malware, too. Detected as: BDS/PcClient.hp.1.C

%SYSDIR%\mesqrilw.log This file contains collected keystrokes.



It tries to execute the following file:

– Filename:
   • %PROGRAM FILES%\Internet Explorer\iexplore.exe

 Registry The following registry keys are added in order to load the service after reboot:

– [HKLM\SYSTEM\CurrentControlSet\Services\mesqrilw]
   • Type = 1
   • Start = 2
   • ErrorControl = 1
   • ImagePath = %SYSDIR%\drivers\mesqrilw.sys
   • DisplayName = mesqrilw

– [HKLM\SYSTEM\CurrentControlSet\Services\mesqrilw\Security]
   • Security = %hex values%

– [HKLM\SYSTEM\CurrentControlSet\Services\mesqrilw\Enum]
   • 0 = Root\\LEGACY_MESQRILW\\0000
   • Count = 1
   • NextInstance = 1

– [HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MESQRILW]
   • NextInstance = 1

– [HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MESQRILW\0000]
   • Service = mesqrilw
   • Legacy = 1
   • ConfigFlags = 0
   • Class = LegacyDriver
   • ClassGUID = {8ECC055D-047F-11D1-A537-0000F8753ED1}
   • DeviceDesc = mesqrilw
   • Capabilities = 0



The following registry key is changed:

– [HKLM\SYSTEM\CurrentControlSet\Services\SENS\Parameters]
   Old value:
   • ServiceDll = %SYSDIR%\sens.dll
   New value:
   • ServiceDll = %SYSDIR%\mesqrilw.dll

 Backdoor Contact server:
The following:
   • http://dynsev5299.2mydns.com/**********

As a result it may send information and remote control could be provided.

 Injection –  It injects the following file into a process: %SYSDIR%\mesqrilw.dll

    Process name:
   • iexplorer.exe



–  It injects the following file into a process: %SYSDIR%\mesqrilw.drv

    Process name:
   • iexplorer.exe


 Rootkit Technology It is a malware-specific technology. The malware hides its presence from system utilities, security applications and in the end, from the user.


Hides the following:
– Its own files
– Its own process
– Its own registry keys

– Files that contain the substring in their filename:
   • mesqrilw.


Method used:
    • Hidden from Windows API

Hooks the following API functions:
   • NtDeviceIoControlFile/ZwDeviceIoControlFile
   • NtEnumerateKey/ZwEnumerateKey
   • NtOpenKey/ZwOpenKey
   • NtQueryDirectoryFile/ZwQueryDirectoryFile
   • NtQuerySystemInformation/ZwQuerySystemInformation

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Andrei Gherman on Friday, April 21, 2006
Description updated by Andrei Gherman on Friday, April 21, 2006

Back . . . .