Fake Cain XPii Cleaner App Is Actually a Backdoor with Very Annoying Features

Share this…

If you ask any malware analyst these days, they’ll tell you they come across countless of useless or unfinished malware variants on a daily basis.

One of the latest, and probably the weirdest was uncovered yesterday by GData malware analyst Karsten Hahn, who came across a fake cleaner app called CainXPiiCleaner, which exhibited some odd features.

When ran, the malware will connect to a URL hardcoded in the program and download the contents of the web page.  The URL currently used by the malware is “http//ni565894_1.vweb16.nitrado[.]net/site.html”, but it has been suspended by the ISP. When the site was live, it would contain a list of commands that the malware would download and execute one-by-one.

Based on an analysis of its source code and by using the Fiddler autoresponder feature to make it seem like the site will still operational and providing commands, Lawrence Abrams of BleepingComputer.com was able to test each command and their functionality.

A breakdown of these instructions and their odd actions is listed below.

werbung – Spams the desktop with fake ads for adult sites, hamburgers, and others. Werbung is German for “advertising.”

werbung command

spam – Spams the desktop with message boxes that state “Schwerwiegender Windows-Fehler!!!”. This text translates from German as “Serious Windows error”.

spam command

kill – Starts a process called kill.exe. Unknown what that does.

assoc – Associates all EXE files with the malware’s executable so that anytime the user launches an EXE file, it also launches the malware.

delete – Deletes everything on the Desktop.

startup – Configures an autostart to start the malware on login.

msgbox – Spams the screen with message boxes that state “dein System hat bereits einen schweren Schaden erlitten! Um den Fehler zu beheben kontaktiere CainXPii auf Skype um dein PC inerhalbweniger minuten zu reparieren”. This translated from German as “Your system has already suffered a serious damage! To resolve the error, contact CainXPii on Skype to repair your PC in minutes”.

msgbox command

kaufen – Shows a fake product page for the CainXPiiCleaner and payment options. Kaufen is German for “buy.”
Cain XPii Cleaner app
CainXPiiCleaner app, buy options
CainXPiiCleaner app, buy options
quit – Closes the program.

desktop – Starts a Spam.exe process. Unknown what that does.

mouse – Does nothing at this time.

roast – Kills the CPU by performing multiple while loops at the same time.

CPU roast

CPU roast on Task Manager

fucker – Starts new threads over and over again that execute the c:\Windows\System32\write.exe command, which opens Wordpad. Quickly makes the computer unusable.

fucker command

music – Constantly spams the desktop with message boxes and pictures of a kid crying.

music command

All clues point to this being a future trojan, currently in development, capable of opening fully-functional backdoors on infected systems, most likely for delivering unwanted ads. At this time, current versions of this malware won’t work because the URL it needs to connect is down and returns a 404 error. Speaking to Bleeping Computer, Hahn shares the same opinion, of this being an unfinished threat.

“The malware does not check if there is an Internet connection or if the website works, so it just crashes,” Hahn told Bleeping Computer.

“There is a small screen indicating that the malware is running with the title ‘infect’,” Hahn also added. “You see it in the upper left corner. It looks like this is there for test purposes. So the author knows everything works.”

Popup showing malware status
Popup showing malware status (Source: Payload Security)

Because the malware seems to be a work-in-progress and it’s C&C server is down, it’s very likely that its author isn’t distributing this through spam or other means. If he did, we pity the poor souls that have to endure its annoying popups and CPU-killing features.