Backdoor.PCO

A relatively new backdoor is circulating - one with an interesting bug in implementation. Backdoor.Win32.VB.aqc tries to hide from the task manager by constantly modifying it in USER space. Being a VB backdoor, its power is limited with no driver, so it uses a quick hack !

What's MOST interesting is the neat little trick I found, simply hold down F5 in Task Manager to reveal the trojan !

SEE IT NOW ! a stealth trojan in action ! this is probably the best little demo I've seen showing a stealth trojan at work..

5.42MB
Part 2 - ProcessGuard is stopping it modifying Task Manager

6.06MB
Part 3 - the trojan disappearing when you disable PG, but you can find it with F5

1.60MB
Part 4 - after holding F5 and looking, use taskkill.exe /pid xxx where xxx is the PID you can see, just look carefully.

In programming terms, the above happens because of what is called a RACE CONDITION. Both threads are racing, one to get a handle to the process 540, the other to hide itself. Eventually you kill the trojan. TrojanHunter detects this as PCO.150 and removes it from memory regardless of its trying to hide. KAV also quickly detected it as Backdoor.Win32.VB.aqc and others too:

File: server.exe
Status: INFECTED/MALWARE
MD5 6df2890122df599e91afad469caace2b
Packers detected: FSG
Scanner results
AntiVir Found Backdoor-Server/VB.aqc backdoor
ArcaVir Found Trojan.Vb.Aqc
Avast Found nothing
AVG Antivirus Found BackDoor.Generic2.GKW
BitDefender Found Backdoor.Vb.AQC
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found W32/Backdoor.JXF
Fortinet Found W32/VB.A!bdr
Kaspersky Anti-Virus Found Backdoor.Win32.VB.aqc
NOD32 Found probably unknown NewHeur_PE (probable variant)
Norman Virus Control Found W32/VBDoor.IQ
UNA Found nothing
VirusBuster Found Backdoor.VB.EIG
VBA32 Found Backdoor.Win32.VB.aqc

Some interesting results..