How to Prevent and Remove the Packed.Win32.Black.a

How to Prevent and Remove the Backdoor.Win32.Xyligan.bpc

1. What is the Backdoor.Win32.Xyligan.bpc

Backdoor.Win32.Xyligan.bpc is a type of backdoor virus that can provide an attacker with access to, and control of, an infected computer. Backdoor.Win32.Xyligan.bpc is a PE executable. Usually, Backdoor.Win32.Xyligan.bpc may be packed with UPX, Unpacked, the code size is 710kb. Normally, Backdoor.Win32.Xyligan.bpc is spreaded through a website, or even via instant Messengers (IM) such Yahoo, MSN, Skype and ICQ.

When Backdoor.Win32.Xyligan.bpc is started, it copies itself as a file named something similar to “Hacker.com.cn.exe” in the Windows System folder and then uses the following processes to make Backdoor.Win32.Xyligan.aeu itself to look like a valid Windows program.

Alias: Downloader [Symantec], Backdoor.Win32.Xyligan [Ikarus]

2.Technical Details:

a. The following files were created in the system:

No.	Filename	Size
1	%Temp%\bgrfyw.exe %System%\uusmuk.exe	69,814 bytes
2	%ProgramFiles%\Common Files\ccuwco.exe	0 bytes
3	%ProgramFiles%\Common Files\xkjtks.exe	0 bytes
4	[file and pathname of the sample #1]	372,950 bytes
5	%System%\wbem\Performance\WmiApRpl_new.ini	924 bytes

Notes:
- %Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
- %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
- %ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.

b. Memory Modifications

There were new processes created in the system:

Process Name	Process Filename	Main Module Size
bgrfyw.exe	%Temp%\bgrfyw.exe	66,464 bytes
uusmuk.exe	%System%\uusmuk.exe	66,464 bytes
xkjtks.exe	%ProgramFiles%\common files\xkjtks.exe	73,728 bytes
ccuwco.exe	%ProgramFiles%\common files\ccuwco.exe	73,728 bytes
sagkos.exe	%Temp%\sagkos.exe	73,728 bytes

There were new services created in the system:

Service Name	Display Name	Status	Service Filename
rcmdsvc	Remote Command Service	"Running"	%System%\uusmuk.exe
Nationalnew	Nationalljs Instruments Domain Service	"Running"	%ProgramFiles%\Common Files\\xkjtks.exe
Nationalfld	Nationaluko Instruments Domain Service	"Running"	%ProgramFiles%\Common Files\\ccuwco.exe

c. Registry Modifications

The following Registry Keys were created:
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MediaResources\msvideo
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NATIONALFLD
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NATIONALFLD\0000
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NATIONALFLD\0000\Control
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NATIONALNEW
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NATIONALNEW\0000
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NATIONALNEW\0000\Control
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_RCMDSVC
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_RCMDSVC\0000
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_RCMDSVC\0000\Control
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Nationalfld
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Nationalfld\Security
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Nationalfld\Enum
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Nationalnew
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Nationalnew\Security
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Nationalnew\Enum
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\rcmdsvc
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\rcmdsvc\Security
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\rcmdsvc\Enum
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\msvideo
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NATIONALFLD
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NATIONALFLD\0000
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NATIONALFLD\0000\Control
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NATIONALNEW
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NATIONALNEW\0000
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NATIONALNEW\0000\Control
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RCMDSVC
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RCMDSVC\0000
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RCMDSVC\0000\Control
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Nationalfld
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Nationalfld\Security
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Nationalfld\Enum
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Nationalnew
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Nationalnew\Security
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Nationalnew\Enum
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rcmdsvc
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rcmdsvc\Security
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rcmdsvc\Enum

The newly created Registry Values are:
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NATIONALFLD\0000\Control]
  - *NewlyCreated* = 0x00000000
  - ActiveService = "Nationalfld"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NATIONALFLD\0000]
  - Service = "Nationalfld"
  - Legacy = 0x00000001
  - ConfigFlags = 0x00000000
  - Class = "LegacyDriver"
  - ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
  - DeviceDesc = "Nationaluko Instruments Domain Service"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NATIONALFLD]
  - NextInstance = 0x00000001
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NATIONALNEW\0000\Control]
  - *NewlyCreated* = 0x00000000
  - ActiveService = "Nationalnew"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NATIONALNEW\0000]
  - Service = "Nationalnew"
  - Legacy = 0x00000001
  - ConfigFlags = 0x00000000
  - Class = "LegacyDriver"
  - ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
  - DeviceDesc = "Nationalljs Instruments Domain Service"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NATIONALNEW]
  - NextInstance = 0x00000001
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_RCMDSVC\0000\Control]
  - *NewlyCreated* = 0x00000000
  - ActiveService = "rcmdsvc"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_RCMDSVC\0000]
  - Service = "rcmdsvc"
  - Legacy = 0x00000001
  - ConfigFlags = 0x00000000
  - Class = "LegacyDriver"
  - ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
  - DeviceDesc = "Remote Command Service"
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_RCMDSVC]
  - NextInstance = 0x00000001
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Nationalfld\Enum]
  - 0 = "Root\LEGACY_NATIONALFLD\0000"
  - Count = 0x00000001
  - NextInstance = 0x00000001
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Nationalfld\Security]
  - Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Nationalfld]
  - Type = 0x00000010
  - Start = 0x00000002
  - ErrorControl = 0x00000000
  - ImagePath = "%ProgramFiles%\Common Files\\ccuwco.exe"
  - DisplayName = "Nationaluko Instruments Domain Service"
  - ObjectName = "LocalSystem"
  - Description = "Providescwm a domain server for NI security."
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Nationalnew\Enum]
  - 0 = "Root\LEGACY_NATIONALNEW\0000"
  - Count = 0x00000001
  - NextInstance = 0x00000001
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Nationalnew\Security]
  - Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Nationalnew]
  - Type = 0x00000010
  - Start = 0x00000002
  - ErrorControl = 0x00000000
  - ImagePath = "%ProgramFiles%\Common Files\\xkjtks.exe"
  - DisplayName = "Nationalljs Instruments Domain Service"
  - ObjectName = "LocalSystem"
  - Description = "Providestip a domain server for NI security."
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\rcmdsvc\Enum]
  - 0 = "Root\LEGACY_RCMDSVC\0000"
  - Count = 0x00000001
  - NextInstance = 0x00000001
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\rcmdsvc\Security]
  - Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\rcmdsvc]
  - Type = 0x00000010
  - Start = 0x00000002
  - ErrorControl = 0x00000000
  - ImagePath = "%System%\uusmuk.exe"
  - DisplayName = "Remote Command Service"
  - ObjectName = "LocalSystem"
  - Description = "Windows Resource Kit"
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NATIONALFLD\0000\Control]
  - *NewlyCreated* = 0x00000000
  - ActiveService = "Nationalfld"
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NATIONALFLD\0000]
  - Service = "Nationalfld"
  - Legacy = 0x00000001
  - ConfigFlags = 0x00000000
  - Class = "LegacyDriver"
  - ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
  - DeviceDesc = "Nationaluko Instruments Domain Service"
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NATIONALFLD]
  - NextInstance = 0x00000001
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NATIONALNEW\0000\Control]
  - *NewlyCreated* = 0x00000000
  - ActiveService = "Nationalnew"
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NATIONALNEW\0000]
  - Service = "Nationalnew"
  - Legacy = 0x00000001
  - ConfigFlags = 0x00000000
  - Class = "LegacyDriver"
  - ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
  - DeviceDesc = "Nationalljs Instruments Domain Service"
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NATIONALNEW]
  - NextInstance = 0x00000001
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RCMDSVC\0000\Control]
  - *NewlyCreated* = 0x00000000
  - ActiveService = "rcmdsvc"
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RCMDSVC\0000]
  - Service = "rcmdsvc"
  - Legacy = 0x00000001
  - ConfigFlags = 0x00000000
  - Class = "LegacyDriver"
  - ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
  - DeviceDesc = "Remote Command Service"
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RCMDSVC]
  - NextInstance = 0x00000001
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Nationalfld\Enum]
  - 0 = "Root\LEGACY_NATIONALFLD\0000"
  - Count = 0x00000001
  - NextInstance = 0x00000001
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Nationalfld\Security]
  - Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Nationalfld]
  - Type = 0x00000010
  - Start = 0x00000002
  - ErrorControl = 0x00000000
  - ImagePath = "%ProgramFiles%\Common Files\\ccuwco.exe"
  - DisplayName = "Nationaluko Instruments Domain Service"
  - ObjectName = "LocalSystem"
  - Description = "Providescwm a domain server for NI security."
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Nationalnew\Enum]
  - 0 = "Root\LEGACY_NATIONALNEW\0000"
  - Count = 0x00000001

The following Registry Values were modified:
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent]
  - (Default) =
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent]
  - (Default) =

d. Other details

The following ports were open in the system:

Port	Protocol	Process
1052	UDP	bgrfyw.exe (%Temp%\bgrfyw.exe)
1055	TCP	uusmuk.exe (%System%\uusmuk.exe)
1056	TCP	xkjtks.exe (%ProgramFiles%\Common Files\xkjtks.exe)
1057	TCP	ccuwco.exe (%ProgramFiles%\Common Files\ccuwco.exe)
1059	TCP	bgrfyw.exe (%Temp%\bgrfyw.exe)

There were registered attempts to establish connection with the remote hosts. The connection details are:

Remote Host	Port Number
124.232.140.3	9900
61.160.221.236	9008
61.191.56.103	81

The data identified by the following URL was then requested from the remote web server:
- http://61.191.56.103:81/guozhudong.exe

3. How-to's

a. How to prevent the Backdoor.Win32.Xyligan.bpc ?

Please update the policy basic knowledge of Sax2 in time, Once Ax3soft sax2 detects the communication of these trojans, it will break them and ensure your network & business security.

b. How to Remove the Backdoor.Win32.Xyligan.bpc Manually?

Step 1 : Stop Backdoor.Win32.Xyligan.bpc services

rcmdsvc
Nationalnew
Nationalfld

Step 2 : Use Windows Task Manager to Remove Backdoor.Win32.Xyligan.bpc Processes

%Temp%\bgrfyw.exe
%System%\uusmuk.exe
%ProgramFiles%\common files\xkjtks.exe
%ProgramFiles%\common files\ccuwco.exe
%Temp%\sagkos.exe

Step 3 : Use Registry Editor to Remove Backdoor.Win32.Xyligan.bpc Registry Values
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MediaResources\msvideo
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NATIONALFLD
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NATIONALFLD\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NATIONALFLD\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NATIONALNEW
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NATIONALNEW\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NATIONALNEW\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_RCMDSVC
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_RCMDSVC\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_RCMDSVC\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Nationalfld
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Nationalfld\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Nationalfld\Enum
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Nationalnew
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Nationalnew\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Nationalnew\Enum
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\rcmdsvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\rcmdsvc\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\rcmdsvc\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\msvideo
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NATIONALFLD
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NATIONALFLD\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NATIONALFLD\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NATIONALNEW
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NATIONALNEW\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NATIONALNEW\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RCMDSVC
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RCMDSVC\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RCMDSVC\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Nationalfld
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Nationalfld\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Nationalfld\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Nationalnew
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Nationalnew\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Nationalnew\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rcmdsvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rcmdsvc\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rcmdsvc\Enum

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NATIONALFLD\0000\Control]
*NewlyCreated* = 0x00000000
ActiveService = "Nationalfld"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NATIONALFLD\0000]
Service = "Nationalfld"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "Nationaluko Instruments Domain Service"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NATIONALFLD]
NextInstance = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NATIONALNEW\0000\Control]
*NewlyCreated* = 0x00000000
ActiveService = "Nationalnew"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NATIONALNEW\0000]
Service = "Nationalnew"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "Nationalljs Instruments Domain Service"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NATIONALNEW]
NextInstance = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_RCMDSVC\0000\Control]
*NewlyCreated* = 0x00000000
ActiveService = "rcmdsvc"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_RCMDSVC\0000]
Service = "rcmdsvc"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "Remote Command Service"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_RCMDSVC]
NextInstance = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Nationalfld\Enum]
0 = "Root\LEGACY_NATIONALFLD\0000"
Count = 0x00000001
NextInstance = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Nationalfld\Security]
Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Nationalfld]
Type = 0x00000010
Start = 0x00000002
ErrorControl = 0x00000000
ImagePath = "%ProgramFiles%\Common Files\\ccuwco.exe"
DisplayName = "Nationaluko Instruments Domain Service"
ObjectName = "LocalSystem"
Description = "Providescwm a domain server for NI security."
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Nationalnew\Enum]
0 = "Root\LEGACY_NATIONALNEW\0000"
Count = 0x00000001
NextInstance = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Nationalnew\Security]
Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Nationalnew]
Type = 0x00000010
Start = 0x00000002
ErrorControl = 0x00000000
ImagePath = "%ProgramFiles%\Common Files\\xkjtks.exe"
DisplayName = "Nationalljs Instruments Domain Service"
ObjectName = "LocalSystem"
Description = "Providestip a domain server for NI security."
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\rcmdsvc\Enum]
0 = "Root\LEGACY_RCMDSVC\0000"
Count = 0x00000001
NextInstance = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\rcmdsvc\Security]
Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\rcmdsvc]
Type = 0x00000010
Start = 0x00000002
ErrorControl = 0x00000000
ImagePath = "%System%\uusmuk.exe"
DisplayName = "Remote Command Service"
ObjectName = "LocalSystem"
Description = "Windows Resource Kit"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NATIONALFLD\0000\Control]
*NewlyCreated* = 0x00000000
ActiveService = "Nationalfld"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NATIONALFLD\0000]
Service = "Nationalfld"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "Nationaluko Instruments Domain Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NATIONALFLD]
NextInstance = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NATIONALNEW\0000\Control]
*NewlyCreated* = 0x00000000
ActiveService = "Nationalnew"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NATIONALNEW\0000]
Service = "Nationalnew"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "Nationalljs Instruments Domain Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NATIONALNEW]
NextInstance = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RCMDSVC\0000\Control]
*NewlyCreated* = 0x00000000
ActiveService = "rcmdsvc"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RCMDSVC\0000]
Service = "rcmdsvc"
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = "LegacyDriver"
ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
DeviceDesc = "Remote Command Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RCMDSVC]
NextInstance = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Nationalfld\Enum]
0 = "Root\LEGACY_NATIONALFLD\0000"
Count = 0x00000001
NextInstance = 0x00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Nationalfld\Security]
Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Nationalfld]
Type = 0x00000010
Start = 0x00000002
ErrorControl = 0x00000000
ImagePath = "%ProgramFiles%\Common Files\\ccuwco.exe"
DisplayName = "Nationaluko Instruments Domain Service"
ObjectName = "LocalSystem"
Description = "Providescwm a domain server for NI security."
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Nationalnew\Enum]
0 = "Root\LEGACY_NATIONALNEW\0000"
Count = 0x00000001

Step4: Detect and Delete Other Backdoor.Win32.Xyligan.bpc Files

%Temp%\bgrfyw.exe
%System%\uusmuk.exe
%ProgramFiles%\Common Files\ccuwco.exe
%ProgramFiles%\Common Files\xkjtks.exe
[file and pathname of the sample #1]
%System%\wbem\Performance\WmiApRpl_new.ini

c. How to Remove these trojans Instantly?

Manual removal is a difficult process and it is not recommend unless you are an expert in this field. Therefore, you best defense is to download and install a reliable anti-spyware program to scan spyware on your machine. In order to detect computer threats in the easiest and fastest way possible, we advised trying the Malwarebytes' Anti-Malware, it is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. visit http://www.ids-sax2.com/Malwarebytes-Anti-Malware.htm and download Malwarebytes' Anti-Malware to help you.

4. Appendix

For more information, please visit http://www.ids-sax2.com/ComputerSecurityNewsletter.htm