Threat Descriptions

Backdoor:W32/Knockex.A

Classification

Category :

Malware

Type :

Backdoor

Platform :

W32

Aliases :

Backdoor:W32/Knockex.A, Trojan-Dropper:W32/Knockex.A, Trojan-Downloader:W32/Knockex.A, Backdoor:W32/Knockex.A, Rootkit:W32/Knockex.A

Summary

A remote administration utility that bypasses normal security mechanisms to secretly control a program, computer or network.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

To remove the installed adwares, uninstall the following programs from the Windows 'Add/Remove Programs' menu:

  • "Homepage Protection Service" - uninstaller of MYCLEARSEARCH-SETUP.EXE
  • "Inet Support Services" - uninstaller of INET.EXE
  • " BrowserSeek 1.0 build 171 powered by FIRST SEARCHBAR" - uninstaller of BRAND.EXE (as of this writing)

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Backdoor:W32/Knockex.A is a backdoor program dropped as part of the payload of a Nullsoft installer (NSIS) program detected as Trojan-Dropper:W32/Knockex.A.

The Nullsoft installer contains the following sub-installers:

  • OfferApp-2529.exe - detected either as Trojan-Downloader:W32/Knockex.A or Gen:Variant.Kazy.17250
  • OfferApp-2526.exe - detected as Spyware:W32/Inet.B

These installers will themselves install multiple installers, which in turn install malware, adware and spyware programs. Among the installed programs is Backdoor:W32/Knockex.A.

First Installer Dropped - OfferApp-2529.exe

As of this writing, the first installer dropped by Trojan-Dropper:W32/Knockex.A, OfferApp-2529.exe, downloads and executes a backdoor with rootkit capabilities. The backdoor is detected either as Backdoor:W32/Knockex.A or Trojan.Generic.KDV.171682.

Upon execution, the backdoor program drops the following files:

  • %systemdir%\cssrss.exe A copy of the downloaded backdoor program.
  • %systemdir%\nso12k.sys A rookit driver (detected either as Rootkit:W32/Knockex.A or Trojan.Downloader.Agent.ZBU) that hides the backdoor program

The backdoor program uses the following launch points:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "WMDM PMSP Service" = %systemdir%\cssrss.exe
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Driver - service launch point of nso12k.sys

Second Installer Dropped - OfferApp-2526.exe

At the same time the OfferApp-2529.exe file is downloading and executing the backdoor, the second installer file, OfferApp-2526.exe, is executing the following installers:

  • myclearsearch-setup.exeInstaller of MyWebSearch/CreativeToolbar AdwareDetected as Adware:W32/MyWebSearch.AG
  • inet.exeInstaller of iNetMedia AdwareDetected either as Spyware:W32/Inet.A or Spyware.14597
  • brand.exe Web Installer/downloader of BrowserSeek/Zwangi AdwareDetected as Adware:W32/Zwangi.O

When the installers listed are executed, their payloads are installed as separate, independent programs.

Second level of installers from OfferApp-2526.exe

myclearsearch-setup.exe The myclearsearch-setup.exe file drops the following components:

  • %programdir%\MyClearSearch\MyClearSearchSvc.exe - detected as Adware:W32/MyWebSearch.AF
  • %programdir%\MyClearSearch\ShowMsg.exe - detected as Adware:W32/MyWebSearch.AH
  • %programdir%\MyClearSearch\uninstall.exe - uninstaller component.

The myclearsearch-setup.exe file then creates the following service launch point:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MyClearSearch Helper Service

And also creates the following registry keys:

  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes
  • HKEY_LOCAL_MACHINE\SOFTWARE\MyClearSearch
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Homepage Protection Service

During installation, the program will also modify the start page for the Internet Explorer web browser:

  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Start Page" = "http://myclearsearch.com/"

inet.exe

When OfferApp-2526.exe is executed, it instructs the inet.exe file installer to download a file from a remote site and install it to the path "C:\Program". During this process, the installer creates the following service launch point:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\inetUpServ

It will also create a (functional) uninstallation setting:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\inet

Brand.exe

Brand.exe is an installer that downloads its own components from a remote site. At the time of writing, the file downloads the following components:

  • %programdir%\BrowserSeek\browserseek.dll
  • %programdir%\BrowserSeek\browserseek.exe
  • %programdir%\BrowserSeek\uninstall.exe

It creates the following service launch point:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BrowserSeek Service

And also creates the following registry keys:

  • HKEY_LOCAL_MACHINE\SOFTWARE\BrowserSeek
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BrowserSeek