New backdoor bypasses Windows User Account Control & performs key logging

 The infectious BackDoor.Saker.1 is the spreading malware that intercepts input data from the keyboard and is capable of bypassing the Windows User Account Control (UAC). The Russian anti-virus company Dr.Web has warned the users about BackDoor.Saker.1 whose main function is – to execute directives coming from hackers and infiltrators and to intercept keys pressed by the user.


Bringing the system to an infected state, the Trojan launches the file temp.exe so as to bypass the User Account Control. Bypassing is achieved by .exe file that extracts a library and adds it code into the process explorer.exe after which the library is saved into a system folder. Thereafter now when system utility Sysprep is started, the library simultaneously launches a malicious application called as ps.exe.

Doctor Web anti-virus detects this as Trojan.MulDrop4.61259. In turn, this file saves another library to a different folder. The library file is registered in the Windows Registry as a service with the name “Net Security Service” and the following description: “keep watch on system security and configuration. If this service is stopped, protected content might not be down loaded to the device”. This library contains the main backdoor payload.

As the system is now fully infected, the Trojan, BackDoor.Saker.1, now starts gathering information about the system and details like the Windows version, CPU frequency, available RAM, computer name, user login and the hard disk serial number is transmitted to the intruders. Next, the Trojan now creates a file in the system folder into which user keystrokes are logged.

Now with all preparations done, Backdoor.Saker.1 awaits a response from a remote server, which may involve commanding the backdoor to reboot, shut down, remove itself, start a separate thread to execute commands via a shell, or to run its own file manager which can upload files from an infected machine, download files via the network, create and delete folders, and move and run files.

At its website, Dr.Web mentions, that the threat’s signature is already added to its virus database, thus computers with Doctor Web anti-viruses are protected from BackDoor.Saker.1.

Posted by with Tags
Ankit Gupta is a writer by profession and has more than 7 years of global writing experience on technology and other areas. He follows technological developments and likes to write about Windows & IT security. He has a deep liking for wild life and has written a book on Top Tiger Parks of India.


  1. Dan

    Thank you for very much for advising about this thieving malware; does it spread via downloads, scripts on sites, or otherwise?

  2. Ankit Gupta

    Yes, please ensure that you have updated antivirus protecting your PC. Also avoid downloading from untrusted websites that may in turn install such malware into your system.

  3. Brian

    Hello, can you sahre the hash of the malware, thanks

  4. Ankit Kumar Gupta

    Hi Brian,

    Currently i don’t have it. If I get it I will certainly share. Thanks

Leave a Reply

Your email address will not be published. Required fields are marked *

7 + 9 =