Backdoor.Pihar
Thorough tests show that Backdoor.Pihar will infect Master Boot Record of the computer and leads to the instability of Windows operation.
Backdoor.Pihar is a Trojan that may infect master boot record (MBR) of the target computer. Symantec and other anti-virus applications may detect the compromised MBR as Boot.Pihar. To allow remote unauthorized access, Backdoor.Pihar will open a backdoor and accepts commands from an attacker.
Damage Level: Medium
Systems Affected: Windows 9x, 2000, XP, Windows Vista, Windows 7
Characteristics
When running inside the computer, Backdoor.Pihar creates a couple of random files using random hexadecimal characters. It also modifies various registry entries to lessen Internet browser’s security settings.
To run itself on Windows start-up, Backdoor.Pihar will add a registry entry that calls the Trojan during boot-up. Additionally, it will inject malicious code to master boot record (MBR) to achieve similar objective. The infected master boot record can be identified as Boot.Pihar.
Lastly, this Trojan will communicate to predefined web site address and accept remote commands through backdoor. It may contact any of the following web sites.
- bing-redirect.com
- hellodolly2.com
- hellokitty2.com
- kordelashop.com
- ns1google.com
- wooody27.com
Distribution
The Trojan may arrive on a computer in a number of schemes and that may include the following:
- Integrate a comment containing malicious links to unmanaged web sites and forums. The link aims to point user to a web site hosting the Trojan.
- It sends anonymous messages or postings to social networking sites. Again, the post includes a link to send user to a compromised web address.
- Malicious code is planted on pages of legitimate web sites that unexpectedly download the Trojan to visitor’s computer. This technique uses an SQL injection to attack any sites with known security vulnerability.
- Lastly, attackers behind Backdoor.Pihar use an unsecured file-sharing network to spread a copy of itself that are usually embedded on shareware applications. Downloading and executing the free program silently installs the Trojan without user’s notice.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_(Random Characters)Associated Files and Folders:
%SystemDrive%\Documents and Settings\Administrator\Local Settings\Temp\(Random Characters).tmp %Windir%\Temp\(Random Characters).tmp
How to Remove Backdoor.Pihar
1. Temporarily Disable System Restore (Windows Me/XP). [how to]
2. To be able to identify even the most recent variant of Backdoor.Pihar, open your antivirus application and update the virus definition file.
3. Start Windows in Safe Mode with Networking.
- From a power-off state, turn on the computer and press F8 on your keyboard repeatedly.
- Your computer will display Windows Advanced Boot Options menu. Please select Safe Mode with Networking.
- The system will now boot Windows and loads only necessary drivers and files.
4. Open your antivirus program and run a full system scan. After the scan, delete all infected items. If unable to delete, better place them in quarantine. Once the scan is complete, please proceed with the next step.
Scan with Norton Power Eraser:
Additional virus removal tool like Norton Power Eraser provides deep scanning technology to eliminate other threats not detected by a normal virus scan. Use this tool with extra caution.
5. Go to this link and download Norton Power Eraser.
6. Once the download completes, double click on the file NPE.exe to run the program.
7. It will prompt for End User License Agreement, click on Accept to continue.
8. On NPE main window, click on Scan. Then select Exclude Rootkit Scan. Click on Continue to proceed.
9. Virus scanning may take some time. After running the scan, NPE will display the scan result.
Important! If there are any detected threats under Suspicious, remove the check mark. Only threats in Detected category are necessary to remove at this point. Make sure that you mark the Create System Restore Point before proceeding with the fix.
10. Now click on Fix to start removing the threats including Backdoor.Pihar remnants if there are any.
11. When done, Norton Power Eraser will restart the computer. Then after a reboot, it will initialize and display the eliminated threats.
12. You may now close Norton Power Eraser.