My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Backdoor.Farfli.AB

LOW
LOW
100-500KB
(Trojan-Spy.Win32.Pophot(KAV))

Symptoms

Presence of a service with the name and description composed from random characters (e.g. name: ABA09ADA, description: EBC3BA9B).
Notifications from firewall that Explorer.exe or Winlogon.exe tries to open UDP ports to listen for incomming connections. Also that an executable is trying to connect to sites with suspicious names: tqzn.com, chnsystem.com, zhaoyou.com.

Removal instructions:

Please let BitDefender disinfect your files.
Manual: In "Run" box type "services.msc" , try to identify a service with characteristics like in above description, make a double click on that line and in showed box press "Stop" and then select "Disable" for "Startup type". Try to locate the file specified under "Path to executable" label and delete this file.

Analyzed By

Ovidiu Visoiu, virus researcher

Technical Description:

Commonly it commes as an installer so it can drop several files, detected by Bitdefender as adware (Adware.Cinmus) or tojan-downloaders.
It modifies the memory of Explorer.exe or Winlogon.exe in order to open UDP ports.
Copies itself in %System% folder and launch the copy as a service. A registry key (and subkeys) is added with this occasion: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[service_name], where [service_name] is composed from random characters.
It tries to access URLs from suspicious sites: setup1.tqzn.com, gs.chnsystem.com, mokead.com, zhaoyou.com, ...(e.g. setup1.tqzn.com/[removed]/barsetup.exe?queryid=50448)