The saga of the Chinese bank-mandated Aisino Intelligent Tax software that installed a remote access and control backdoor has taken an unexpected turn, as security researchers found it received an update that deletes the malicious code.
This turned out to be an uninstaller for the backdoor, which Spiderlabs named GoldenSpy.
The uninstaller executable is fetched from a host on a network allocated to China Mobile, Spiderlabs said, with a second version containing obfuscated variables to avoid antivirus appearing shortly after the first one.
Once the Aisino Intelligent Tax program runs the downloaded executable, the uninstaller deletes all GoldenSpy files and folders, as well as the entries it inserted into the Windows Registry system configuration database.
After the GoldenSpy backdoor has been removed, the uninstaller executes a Windows shell command to delete itself quietly and without notifications or user input.
While the direct threat of the GoldenSpy command and control remote access malware appears to be gone after the uninstaller has finished, Spiderlabs said it has to leave users concerned about what else could be downloaded and executed in a similar manner.