This client program of a backdoor malware requires its user to enter the Internet Protocol (IP) address of the target computer, which is infected with the backdoor server program.
The hacker uses this client program, written in Delphi, to execute any or all of the folowing on the system infected with the server program:
- Get System Information
- Send pop up messages
- Act as a mini file browser (this includes read and write access to the files of the server.)
- Execute Files
- Process Tool
- Shutdown/Reboot/NetLogon the system
- Enable/Disable Desktop
- Enable/Disable Running Applications
- Enable/Disable Closing Windows
- Power off option for ATX systems
- Turn On/Off Num/Caps/Scroll lock lamps
- Set Mouse Location
- Show/Hide Taskbar
- Eject/Close CD Rom Drive
- Turn Power Saving On/Off
- Enable/Disable CTRL-ALT-DEL key combo
- Get screen resolution
- Determine the location of Windows directories
When the server component of this backdoor malware executes, it copies itself to a "VScan.EXE" file in the Windows System directory. It then creates a registry entry as follows so that it executes upon Windows startup:
Thereafter, it stays resident in memory as a service process so that it is not seen in the Task Manager that pops up when the infected user presses the Ctrl-Alt-Delete keys.
The server component waits for commands to execute and sends data at port 1386.