Categories: Backdoor

What is “Backdoor:Win32/PcClient.ZR”?

The Backdoor:Win32/PcClient.ZR is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

Gridinsoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend using GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.

DOWNLOAD NOW

6-day free trial available.

What Backdoor:Win32/PcClient.ZR virus can do?

Executable code extraction
At least one process apparently crashed during execution
Attempts to connect to a dead IP:Port (1 unique times)
Presents an Authenticode digital signature
Creates RWX memory
A process attempted to delay the analysis task.
Drops a binary and executes it
Unconventionial binary language: Chinese (Simplified)
Unconventionial language used in binary resources: Chinese (Simplified)
The binary likely contains encrypted or compressed data.
Attempts to repeatedly call a single API many times in order to delay analysis time
Installs itself for autorun at Windows startup
Checks the CPU name from registry, possibly for anti-virtualization
Checks the system manufacturer, likely for anti-virtualization
Creates a copy of itself

Related domains:

d.nxxxn.ga

r.pengyou.com

How to determine Backdoor:Win32/PcClient.ZR?


File Info:
crc32: E685ECC3md5: 71a858986dbb088913dba008e9defc56name: SQLSernsf.exesha1: 3092134cde69f46302388ea63a5a6d61561c3676sha256: 1113bff8d6e99727e0404482860b7fbfe4198196c3bc10876724af5d7af2c4besha512: ec0324a076c1bcda84f2aec1480951fa89e0fe1442f182d02fcbe9ffc2d318262768351e9c852c37208d9239caf5ac0cae0a1059dae0432b304a8eaa741f93e1ssdeep: 6144:9v5zQJVb5p72cHF1ybDFwekh212KhvwIb759QOaBjpaVRPu23E2rJmWjFc94:94VOiF1WD7kE1dTYOi8V5u23zmWFy4type: MS-DOS executable, MZ for MS-DOS
Version Info:
LegalCopyright: (C) 360.cn All Rights Reserved.InternalName: LSPFixFileVersion: 7, 1, 3, 1057CompanyName: 360.cnProductName: 360x5b89x5168x536bx58ebProductVersion: 7, 1, 3, 1057FileDescription: 360x5b89x5168x536bx58eb LSPx4feex590dx6a21x5757OriginalFilename: LSPFix.EXETranslation: 0x0804 0x04b0

Backdoor:Win32/PcClient.ZR also known as:

MicroWorld-eScan	Gen:Variant.Strictor.221168
FireEye	Generic.mg.71a858986dbb0889
CAT-QuickHeal	Trojan.Magania.18692
McAfee	GenericRXDW-XG!7348DD213AEF
Malwarebytes	Backdoor.Farfli
VIPRE	Trojan.Win32.Generic!BT
K7AntiVirus	Trojan ( 004c81771 )
BitDefender	Gen:Variant.Strictor.221168
K7GW	Trojan ( 004c81771 )
Cybereason	malicious.86dbb0
Invincea	heuristic
F-Prot	W32/S-6cc11623!Eldorado
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
GData	Gen:Variant.Strictor.221168
Kaspersky	Trojan.Win32.Agent.xabxmr
Rising	Backdoor.Farfli!8.B4 (TFE:5:bL8vVvLdNzM)
Ad-Aware	Gen:Variant.Strictor.221168
Comodo	TrojWare.Win32.Fusing.CF@5afr59
F-Secure	Heuristic.HEUR/AGEN.1042577
DrWeb	BackDoor.Farfli.96
Zillya	Trojan.Banbra.Win32.29854
McAfee-GW-Edition	GenericRXDW-XG!7348DD213AEF
Trapmine	malicious.high.ml.score
CMC	Virus.Win32.Sality!O
Emsisoft	Gen:Variant.Strictor.221168 (B)
SentinelOne	DFI – Malicious PE
Cyren	W32/S-6cc11623!Eldorado
Jiangmin	Backdoor.Farfli.cmb
Webroot	W32.Trojan.Gen
Avira	HEUR/AGEN.1042577
MAX	malware (ai score=85)
Endgame	malicious (high confidence)
Arcabit	Trojan.Strictor.D35FF0
SUPERAntiSpyware	Backdoor.PcClient/Variant
ZoneAlarm	Trojan.Win32.Agent.xabxmr
Microsoft	Backdoor:Win32/PcClient.ZR
AhnLab-V3	Malware/Win32.Generic.C2832100
Acronis	suspicious
BitDefenderTheta	Gen:NN.ZexaF.33558.xm1@aehBi2aj
ALYac	Gen:Variant.Strictor.221168
VBA32	BScope.Trojan-GameThief.Magania
Cylance	Unsafe
Zoner	Trojan.Win32.80229
ESET-NOD32	Win32/Farfli.BGG
Tencent	Malware.Win32.Gencirc.10b40de8
Yandex	Trojan.PWS.Banbra!fVil7drZyCo
Ikarus	Trojan.Win32.Farfli
Fortinet	W32/Midie.26C0!tr
AVG	Win32:Malware-gen
Avast	Win32:Malware-gen
CrowdStrike	win/malicious_confidence_80% (D)
MaxSecure	Trojan.Malware.300983.susgen