Full description

Virus:	BDS/Haxdoor.GJ.3
Date discovered:	02/02/2006
Type:	Backdoor Server
In the wild:	Yes
Reported Infections:	Low
Distribution Potential:	Low
Damage Potential:	Medium
Static file:	Yes
File size:	17.565 Bytes
MD5 checksum:	e2761e88642324801fa8754261bb81b4
VDF version:	6.33.00.183

General Method of propagation:
   • No own spreading routine

Aliases:
   • Kaspersky: Backdoor.Win32.Haxdoor.gj
   • TrendMicro: BKDR_HAXDOOR.DU

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Drops malicious files
   • Records keystrokes
   • Registry modification
   • Steals information
   • Third party control

Files The following files are created:

– %SYSDIR%\wnlogow.sys Further investigation pointed out that this file is malware, too. Detected as: BDS/Haxdoor.GJ.4

– %SYSDIR%\avload32.dll Further investigation pointed out that this file is malware, too. Detected as: BDS/Haxdoor.GJ.2

Registry The following registry keys are added in order to load the service after reboot:

– [HKLM\SYSTEM\CurrentControlSet\Services\wnlogow]
   • Type = dword:00000001
   • Start = dword:00000001
   • ErrorControl = dword:00000000
   • ImagePath = \??\%SYSDIR%\wnlogow.sys
   • DisplayName = BLUETOOTH IPv4 service

– [HKLM\SYSTEM\CurrentControlSet\Services\wnlogow\Security]
   • Security = %hex values%

– [HKLM\SYSTEM\CurrentControlSet\Services\wnlogow\Enum]
   • 0 = Root\\LEGACY_WNLOGOW\\0000
   • Count = dword:00000001
   • NextInstance = dword:00000001

– [HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WNLOGOW]
   • NextInstance = dword:00000001

– [HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WNLOGOW\0000]
   • Service = wnlogow
   • Legacy = dword:00000001
   • ConfigFlags = dword:00000000
   • Class = LegacyDriver
   • ClassGUID = {8ECC055D-047F-11D1-A537-0000F8753ED1}
   • DeviceDesc = BLUETOOTH IPv4 service
   • Capabilities = dword:00000000

– [HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WNLOGOW\0000\
   Control]
   • *NewlyCreated* = dword:00000000
   • ActiveService = wnlogow

It creates the following entry in order to bypass the Windows XP firewall:

– [HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\AuthorizedApplications\List]
   • %WINDIR%\Explorer.EXE = %WINDIR%\Explorer.EXE:*:Enabled:explorer

The following registry key is added:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
   avload32]
   • DllName = avload32.dll
   • Startup = avload32
   • Impersonate = dword:00000001
   • Asynchronous = dword:00000001
   • MaxWait = dword:00000001
   • keyR2 = [%random character string%]

The following registry key is changed:

Various Explorer settings:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
   Old value:
   • WarnOnZoneCrossing = %user defined settings%
   • WarnOnPostRedirect = %user defined settings%
   • WarnOnBadCertRecving = %user defined settings%
   New value:
   • WarnOnZoneCrossing = dword:00000000
   • WarnOnPostRedirect = dword:00000000
   • WarnOnBadCertRecving = dword:00000000

Backdoor The following ports are opened:

– winlogon.exe on TCP port 9066 in order to provide a proxy server.
– winlogon.exe on TCP port 9067 in order to provide a Socks 5 proxy server.

Contact server:
The following:
   • http://www.superstability.info/forte/**********

This is done via the HTTP GET and POST method using a PHP script.

Sends information about:
    • Current malware status
    • Opened port
    • Collected information described in stealing section

Remote control capabilities:
    • Start keylog

Stealing It tries to steal the following information:
– Passwords typed into 'password input fields'
– Recorded passwords used by the AutoComplete function
– Email account information obtained from the registry key: HKCU\Software\Microsoft\Internet Account Manager\Accounts

– Passwords from the following programs:
   • Opera
   • ICQ
   • The Bat
   • Outlook Express
   • MSN Messenger
   • MyIE
   • Mozilla
   • Maxthon
   • Miranda

– A logging routine is started after a website is visited:
   • %any website that contains a login form%

– It captures:
    • Window information
    • Login information

Injection – It injects the following file into a process: %SYSDIR%\avload32.dll

    Process name:
   • explorer.exe

   If successful, the malware process terminates while the injected part remains active.

Rootkit Technology It is a malware-specific technology. The malware hides its presence from system utilities, security applications and in the end, from the user.

Hides the following:
– Its own files

Method used:
• Hidden from Windows API

File details Programming language:
The malware program was written in MS Visual C++.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
• FSG

Description inserted by Andrei Gherman on Friday, February 3, 2006
Description updated by Andrei Gherman on Friday, February 3, 2006

Back . . . .

Featured PC protection

Free products

Most popular

All products

Bundled Solutions

Workstation

Server

Bundled Solutions

Mail Gateways

Web Gateways

Collaboration Platforms

Home Products

Business Products

Virus Lab

More Support

Become an Avira Partner

Home Products

Business Products

Just want to evaluate a product?

Manuals and Tools