Virus Profile: BackDoor-FCNC

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 2/18/2015
Date Added: 2/22/2015
Origin: Unknown
Length: Varies
Type: Trojan
Subtype: Adware
DAT Required: 7718
Removal Instructions
   
 
 
   

Description

BackDoor-FCNC a.k.a SuperFish is a family of Adware that installs a self signed Certificate in the Local CA store of an infected computer. It attempts to intercept HTTP(S) flows for the purpose of serving Advertisements.
Superfish is a company that creates a product known as Visual Discovery. Certain versions of this product leave systems vulnerable to man in the middle attacks
Please use the following standalone tools to help mitigate this infection:
  • Custom Stinger-32Bit
  • Custom Stinger-64Bit
  • Indication of Infection

    • Open Certificate Manager by clicking the Start button on a Windows Machine. Type certmgr.msc into the Search box, and Select "Trusted Root Certificate Authorities" --> "Certificates". Look for a Certificate that is has an Entry for "Issued To" and "Issued By" as "SuperFish. Inc"
    • When visiting websites utilizing HTTPS, if you attempt to view the certificate, you may see a message such as "Website Identification: Superfish, Inc. has identified this site as: {original website/company name}"

    Methods of Infection

    Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email spam, etc.
       

    Virus Characteristics

    The Superfish root certificate may be utilized by malware to create certificates for any domain such that they will be trusted by a browser. This leaves user machines vulnerable for information snooping.
    The following are system changes that are observed for an infected system:
    ----------------------------------
    Keys added
    ----------------------------------
    • HKLM\SOFTWARE\Classes\AppID\VisualDiscovery.exe
    • HKLM\SOFTWARE\Classes\AppID\{AD063C0E-0FE1-4772-B29B-679ACE94818F}
    • HKLM\SOFTWARE\Classes\Interface\{0FCE4F01-64EC-42F1-83E1-1E08D38605D2}
    • HKLM\SOFTWARE\Classes\Interface\{1A2A195A-A0F9-4006-AF02-3F05EEFDE792}
    • HKLM\SOFTWARE\Classes\Interface\{2D9DB233-DC4B-4677-946C-5FA5ABCF506B}
    • HKLM\SOFTWARE\Classes\Interface\{2E5FA7B4-61A2-4662-BBCE-62BBB20FC649}
    • HKLM\SOFTWARE\Classes\Interface\{3AE76A17-C344-4A83-81CE-65EFEE41E42D}
    • HKLM\SOFTWARE\Classes\Interface\{4C0A69B0-CE97-42B7-86FC-08280C99C74D}
    • HKLM\SOFTWARE\Classes\Interface\{4E9EB4D5-C929-4005-AC62-1856B1DA5A24}
    • HKLM\SOFTWARE\Classes\Interface\{5D7F05E3-075A-43AF-8BC7-21E2F7F38845}
    • HKLM\SOFTWARE\Classes\Interface\{617E26CE-E6E1-4C75-A68A-A001F2B98491}
    • HKLM\SOFTWARE\Classes\Interface\{79FBDBEA-A722-4ABD-BEC0-B7D463F6BA0E}
    • HKLM\SOFTWARE\Classes\Interface\{8128586C-DF69-4266-873F-CF4C6F705A7C}
    • HKLM\SOFTWARE\Classes\Interface\{8FAF962C-3EDE-405E-B1D0-62B8235C6044}
    • HKLM\SOFTWARE\Classes\Interface\{C1F5E799-B218-4C32-B189-3C389BA140BB}
    • HKLM\SOFTWARE\Classes\Interface\{C1F9CFCE-A7DC-4072-8B31-1DEA57004C86}
    • HKLM\SOFTWARE\Classes\Interface\{EA4AD895-2A7F-430E-B973-DEE6C4E743A9}
    • HKLM\SOFTWARE\Classes\Interface\{EBF4B60F-A863-426F-BE6F-5DFE83BC574F}
    • HKLM\SOFTWARE\Classes\Interface\{F60C9408-3110-4C98-A139-ABE1EE1111DD}
    • HKLM\SOFTWARE\Classes\TypeLib\{CB6BF8B6-E12B-42FA-A478-91BCCDE475DC}
    • HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{02966FA9-C01A-47E7-A169-C83AEA1FB0BA}
    • HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{05FF6A00-76A3-4AA1-A9A4-A782152ABE60}
    • HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{10A7F29D-4B00-40EC-B07D-8616DF8135E6}
    • HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{4EECDED2-40FB-4500-85B4-86FB0EBECA68}
    • HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{533403E2-6E21-4615-9E28-43F4E97E977B}
    • HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{5780633B-414C-446F-8EB2-FF1C9A731C99}
    • HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{70C7334A-66D9-46DE-A4E2-6B923C7DB94E}
    • HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{9AD5C084-B6E6-456A-8BA2-A559663780E5}
    • HKLM\SOFTWARE\Classes\Wow6432Node\AppID\VisualDiscovery.exe
    • HKLM\SOFTWARE\Classes\VisualDiscoveryLib.DataContainer
    • HKLM\SOFTWARE\Classes\VisualDiscoveryLib.DataTable
    • HKLM\SOFTWARE\Classes\VisualDiscoveryLib.DataTable.1
    • HKLM\SOFTWARE\Classes\VisualDiscoveryLib.DataTableFields
    • HKLM\SOFTWARE\Classes\VisualDiscoveryLib.DataTableFields.1
    • HKLM\SOFTWARE\Classes\VisualDiscoveryLib.DataTableHolder
    • HKLM\SOFTWARE\Classes\VisualDiscoveryLib.DataTableHolder.1
    • HKLM\SOFTWARE\Classes\VisualDiscoveryLib.LSPLogic
    • HKLM\SOFTWARE\Classes\VisualDiscoveryLib.LSPLogic.1
    • HKLM\SOFTWARE\Classes\VisualDiscoveryLib.ReadOnlyManager
    • HKLM\SOFTWARE\Classes\VisualDiscoveryLib.ReadOnlyManager.1
    • HKLM\SOFTWARE\Classes\VisualDiscoveryLib.ReadOnlyManager.1\CLSID
    • HKLM\SOFTWARE\Classes\VisualDiscoveryLib.WFPController
    • HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\C864484869D41D2B0D32319C5A62F9315AAF2CBD
    • HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Superfish Inc. VisualDiscovery
    • HKLM\SOFTWARE\Wow6432Node\Microsoft\SystemCertificates\ROOT\Certificates\C864484869D41D2B0D32319C5A62F9315AAF2CBD
    • HKLM\SOFTWARE\Wow6432Node\Classes\AppID\VisualDiscovery.exe
    • HKLM\SOFTWARE\Wow6432Node\Classes\AppID\{AD063C0E-0FE1-4772-B29B-679ACE94818F}
    • HKLM\SOFTWARE\Wow6432Node\Classes\TypeLib\{CB6BF8B6-E12B-42FA-A478-91BCCDE475DC}
    • HKLM\SOFTWARE\Wow6432Node\Classes\TypeLib\{CB6BF8B6-E12B-42FA-A478-91BCCDE475DC}\1.0
    • HKLM\SOFTWARE\Wow6432Node\Classes\TypeLib\{CB6BF8B6-E12B-42FA-A478-91BCCDE475DC}\1.0\0
    • HKLM\SOFTWARE\Wow6432Node\Classes\TypeLib\{CB6BF8B6-E12B-42FA-A478-91BCCDE475DC}\1.0\0\win32
    • HKLM\SOFTWARE\Wow6432Node\Classes\TypeLib\{CB6BF8B6-E12B-42FA-A478-91BCCDE475DC}\1.0\FLAGS
    • HKLM\SOFTWARE\Wow6432Node\Classes\TypeLib\{CB6BF8B6-E12B-42FA-A478-91BCCDE475DC}\1.0\HELPDIR
    • HKLM\SOFTWARE\Wow6432Node\Lenovo
    • HKLM\SOFTWARE\Wow6432Node\Lenovo\VisualDiscovery
    • HKLM\SOFTWARE\Wow6432Node\Superfish Inc. VisualDiscovery
    • HKLM\SOFTWARE\Wow6432Node\VisualDiscovery
    • HKLM\SYSTEM\ControlSet001\Control\Nsi\{eb004a00-9b1a-11d4-9123-0050047759bc}\30
    • HKLM\SYSTEM\ControlSet001\Control\Nsi\{eb004a01-9b1a-11d4-9123-0050047759bc}\30
    • HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\VDWFP
    • HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\VisualDiscovery
    • HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\AppId_Catalog\04DFEB75
    • HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\AppId_Catalog\221F0C44
    • HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\AppId_Catalog\24A07D25
    • HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\AppId_Catalog\2A49FDCC
    • HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\AppId_Catalog\2C9A5390
    • HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\AppId_Catalog\2F5EA4CA
    • HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\AppId_Catalog\31B4C347
    • HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\AppId_Catalog\3A57D8D3
    • HKLM\SYSTEM\ControlSet001\Services\VDWFP
    • HKLM\SYSTEM\ControlSet001\Services\VisualDiscovery
    • HKLM\SYSTEM\CurrentControlSet\Control\Nsi\{eb004a00-9b1a-11d4-9123-0050047759bc}\30
    • HKLM\SYSTEM\CurrentControlSet\Control\Nsi\{eb004a01-9b1a-11d4-9123-0050047759bc}\30
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\VDWFP
    • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\VisualDiscovery
    • HKLM\SYSTEM\CurrentControlSet\Services\VDWFP
    • HKLM\SYSTEM\CurrentControlSet\Services\VisualDiscovery

    ----------------------------------
    Files added: 99
    ----------------------------------
    • C:\Program Files (x86)\Lenovo\VisualDiscovery\freebl3.dll
    • C:\Program Files (x86)\Lenovo\VisualDiscovery\libnspr4.dll
    • C:\Program Files (x86)\Lenovo\VisualDiscovery\libplc4.dll
    • C:\Program Files (x86)\Lenovo\VisualDiscovery\libplds4.dll
    • C:\Program Files (x86)\Lenovo\VisualDiscovery\nss3.dll
    • C:\Program Files (x86)\Lenovo\VisualDiscovery\nssckbi.dll
    • C:\Program Files (x86)\Lenovo\VisualDiscovery\nssdbm3.dll
    • C:\Program Files (x86)\Lenovo\VisualDiscovery\nssutil3.dll
    • C:\Program Files (x86)\Lenovo\VisualDiscovery\Run.exe
    • C:\Program Files (x86)\Lenovo\VisualDiscovery\smime3.dll
    • C:\Program Files (x86)\Lenovo\VisualDiscovery\softokn3.dll
    • C:\Program Files (x86)\Lenovo\VisualDiscovery\sqlite3.dll
    • C:\Program Files (x86)\Lenovo\VisualDiscovery\ssl3.dll
    • C:\Program Files (x86)\Lenovo\VisualDiscovery\SuperfishCert.dll
    • C:\Program Files (x86)\Lenovo\VisualDiscovery\uninstall.exe
    • C:\Program Files (x86)\Lenovo\VisualDiscovery\VDWFP.sys
    • C:\Program Files (x86)\Lenovo\VisualDiscovery\VDWFP64.sys
    • C:\Program Files (x86)\Lenovo\VisualDiscovery\VDWFPInstaller.exe
    • C:\Program Files (x86)\Lenovo\VisualDiscovery\VisualDiscovery.exe
    • C:\Program Files (x86)\Lenovo\VisualDiscovery\VisualDiscovery.tlb
    • C:\Windows\System32\drivers\VDWFP64.sys

    ----------------------------------
    Folders added: 2
    ----------------------------------
    • C:\Program Files (x86)\Lenovo
    • C:\Program Files (x86)\Lenovo\VisualDiscovery
       

    All Users:
    Use current engine and DAT files for detection and removal.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

       

    PC Infected? Get Expert Help

    McAfee
    Virus Removal Service

    Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!

    $89.95