05-19-2011, 01:31 AM
Backdoor:W32/Knockex.A
Name: Backdoor:W32/Knockex.A
Detection Names : Spyware.14597
Dropped:Spyware.14597
Trojan-Dropper:W32/Knockex.A
Trojan-Downloader:W32/Knockex.A
Gen:Variant.Kazy.17250
Backdoor:W32/Knockex.A
Trojan.Generic.KDV.171682
Rootkit:W32/Knockex.A
Trojan.Downloader.Agent.ZBU
Spyware:W32/Inet.B
Adware:W32/MyWebSearch.AG
Adware:W32/MyWebSearch.AF
Adware:W32/MyWebSearch.AH
Spyware:W32/Inet.A
Adware:W32/Zwangi.O
Category: Malware
Type: Backdoor
Platform: W32
Summary
A remote administration utility that bypasses normal security mechanisms to secretly control a program, computer or network.
Disinfection
To remove the backdoor program and other malwares, allow F-Secure Anti-Virus to disinfect the relevant files.
For more general information on disinfection, please see Removal Instructions
To remove the installed adwares, uninstall the following programs from the Windows 'Add/Remove Programs' menu:
"Homepage Protection Service" - uninstaller of MYCLEARSEARCH-SETUP.EXE
"Inet Support Services" - uninstaller of INET.EXE
" BrowserSeek 1.0 build 171 powered by FIRST SEARCHBAR" - uninstaller of BRAND.EXE (as of this writing)
Additional Details
Backdoor:W32/Knockex.A is a backdoor program dropped as part of the payload of a Nullsoft installer (NSIS) program detected as Trojan-Dropper:W32/Knockex.A.
The Nullsoft installer contains the following sub-installers:
OfferApp-2529.exe - detected either as Trojan-Downloader:W32/Knockex.A or Gen:Variant.Kazy.17250
OfferApp-2526.exe - detected as Spyware:W32/Inet.B
These installers will themselves install multiple installers, which in turn install malware, adware and spyware programs. Among the installed programs is Backdoor:w32/Knockex.A.
First Installer Dropped - OfferApp-2529.exe
As of this writing, the first installer dropped by Trojan-Dropper:W32/Knockex.A, OfferApp-2529.exe, downloads and executes a backdoor with rootkit capabilities. The backdoor is detected either as Backdoor:W32/Knockex.A or Trojan.Generic.KDV.171682.
Upon execution, the backdoor program drops the following files:
%systemdir%\cssrss.exe
A copy of the downloaded backdoor program.
%systemdir%\nso12k.sys
A rookit driver (detected either as Rootkit:W32/Knockex.A or Trojan.Downloader.Agent.ZBU) that hides the backdoor program
The backdoor program uses the following launch points:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"WMDM PMSP Service" = %systemdir%\cssrss.exe
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Driver - service launch point of nso12k.sys
Second Installer Dropped - OfferApp-2526.exe
At the same time the OfferApp-2529.exe file is downloading and executing the backdoor, the second installer file, OfferApp-2526.exe, is executing the following installers:
myclearsearch-setup.exe
Installer of MyWebSearch/CreativeToolbar Adware
Detected as Adware:W32/MyWebSearch.AG
inet.exe
Installer of iNetMedia Adware
Detected either as Spyware:W32/Inet.A or Spyware.14597
brand.exe
Web Installer/downloader of BrowserSeek/Zwangi Adware
Detected as Adware:W32/Zwangi.O
When the installers listed are executed, their payloads are installed as separate, independent programs.
Second level of installers from OfferApp-2526.exe
myclearsearch-setup.exe
The myclearsearch-setup.exe file drops the following components:
%programdir%\MyClearSearch\MyClearSearchSvc.exe - detected as Adware:W32/MyWebSearch.AF
%programdir%\MyClearSearch\ShowMsg.exe - detected as Adware:W32/MyWebSearch.AH
%programdir%\MyClearSearch\uninstall.exe - uninstaller component.
The myclearsearch-setup.exe file then creates the following service launch point:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MyClearSearch Helper Service
And also creates the following registry keys:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes
HKEY_LOCAL_MACHINE\SOFTWARE\MyClearSearch
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Homepage Protection Service
During installation, the program will also modify the start page for the Internet Explorer web browser:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
"Start Page" = "http://myclearsearch.com/"
inet.exe
When OfferApp-2526.exe is executed, it instructs the inet.exe file installer to download a file from a remote site and install it to the path "C:\Program". During this process, the installer creates the following service launch point:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\inetUpServ
It will also create a (functional) uninstallation setting:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\inet
Brand.exe
Brand.exe is an installer that downloads its own components from a remote site. At the time of writing, the file downloads the following components:
%programdir%\BrowserSeek\browserseek.dll
%programdir%\BrowserSeek\browserseek.exe
%programdir%\BrowserSeek\uninstall.exe
It creates the following service launch point:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BrowserSeek Service
And also creates the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\BrowserSeek
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BrowserSeek
Name: Backdoor:W32/Knockex.A
Detection Names : Spyware.14597
Dropped:Spyware.14597
Trojan-Dropper:W32/Knockex.A
Trojan-Downloader:W32/Knockex.A
Gen:Variant.Kazy.17250
Backdoor:W32/Knockex.A
Trojan.Generic.KDV.171682
Rootkit:W32/Knockex.A
Trojan.Downloader.Agent.ZBU
Spyware:W32/Inet.B
Adware:W32/MyWebSearch.AG
Adware:W32/MyWebSearch.AF
Adware:W32/MyWebSearch.AH
Spyware:W32/Inet.A
Adware:W32/Zwangi.O
Category: Malware
Type: Backdoor
Platform: W32
Summary
A remote administration utility that bypasses normal security mechanisms to secretly control a program, computer or network.
Disinfection
To remove the backdoor program and other malwares, allow F-Secure Anti-Virus to disinfect the relevant files.
For more general information on disinfection, please see Removal Instructions
To remove the installed adwares, uninstall the following programs from the Windows 'Add/Remove Programs' menu:
"Homepage Protection Service" - uninstaller of MYCLEARSEARCH-SETUP.EXE
"Inet Support Services" - uninstaller of INET.EXE
" BrowserSeek 1.0 build 171 powered by FIRST SEARCHBAR" - uninstaller of BRAND.EXE (as of this writing)
Additional Details
Backdoor:W32/Knockex.A is a backdoor program dropped as part of the payload of a Nullsoft installer (NSIS) program detected as Trojan-Dropper:W32/Knockex.A.
The Nullsoft installer contains the following sub-installers:
OfferApp-2529.exe - detected either as Trojan-Downloader:W32/Knockex.A or Gen:Variant.Kazy.17250
OfferApp-2526.exe - detected as Spyware:W32/Inet.B
These installers will themselves install multiple installers, which in turn install malware, adware and spyware programs. Among the installed programs is Backdoor:w32/Knockex.A.
First Installer Dropped - OfferApp-2529.exe
As of this writing, the first installer dropped by Trojan-Dropper:W32/Knockex.A, OfferApp-2529.exe, downloads and executes a backdoor with rootkit capabilities. The backdoor is detected either as Backdoor:W32/Knockex.A or Trojan.Generic.KDV.171682.
Upon execution, the backdoor program drops the following files:
%systemdir%\cssrss.exe
A copy of the downloaded backdoor program.
%systemdir%\nso12k.sys
A rookit driver (detected either as Rootkit:W32/Knockex.A or Trojan.Downloader.Agent.ZBU) that hides the backdoor program
The backdoor program uses the following launch points:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"WMDM PMSP Service" = %systemdir%\cssrss.exe
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Driver - service launch point of nso12k.sys
Second Installer Dropped - OfferApp-2526.exe
At the same time the OfferApp-2529.exe file is downloading and executing the backdoor, the second installer file, OfferApp-2526.exe, is executing the following installers:
myclearsearch-setup.exe
Installer of MyWebSearch/CreativeToolbar Adware
Detected as Adware:W32/MyWebSearch.AG
inet.exe
Installer of iNetMedia Adware
Detected either as Spyware:W32/Inet.A or Spyware.14597
brand.exe
Web Installer/downloader of BrowserSeek/Zwangi Adware
Detected as Adware:W32/Zwangi.O
When the installers listed are executed, their payloads are installed as separate, independent programs.
Second level of installers from OfferApp-2526.exe
myclearsearch-setup.exe
The myclearsearch-setup.exe file drops the following components:
%programdir%\MyClearSearch\MyClearSearchSvc.exe - detected as Adware:W32/MyWebSearch.AF
%programdir%\MyClearSearch\ShowMsg.exe - detected as Adware:W32/MyWebSearch.AH
%programdir%\MyClearSearch\uninstall.exe - uninstaller component.
The myclearsearch-setup.exe file then creates the following service launch point:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MyClearSearch Helper Service
And also creates the following registry keys:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes
HKEY_LOCAL_MACHINE\SOFTWARE\MyClearSearch
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Homepage Protection Service
During installation, the program will also modify the start page for the Internet Explorer web browser:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
"Start Page" = "http://myclearsearch.com/"
inet.exe
When OfferApp-2526.exe is executed, it instructs the inet.exe file installer to download a file from a remote site and install it to the path "C:\Program". During this process, the installer creates the following service launch point:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\inetUpServ
It will also create a (functional) uninstallation setting:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\inet
Brand.exe
Brand.exe is an installer that downloads its own components from a remote site. At the time of writing, the file downloads the following components:
%programdir%\BrowserSeek\browserseek.dll
%programdir%\BrowserSeek\browserseek.exe
%programdir%\BrowserSeek\uninstall.exe
It creates the following service launch point:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BrowserSeek Service
And also creates the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\BrowserSeek
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BrowserSeek