Virus:BDS/Haxdoor.GJ.3
Date discovered:02/02/2006
Type:Backdoor Server
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:17.565 Bytes
MD5 checksum:e2761e88642324801fa8754261bb81b4
VDF version:6.33.00.183

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Kaspersky: Backdoor.Win32.Haxdoor.gj
   •  TrendMicro: BKDR_HAXDOOR.DU


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops malicious files
   • Records keystrokes
   • Registry modification
   • Steals information
   • Third party control

 Files The following files are created:

%SYSDIR%\wnlogow.sys Further investigation pointed out that this file is malware, too. Detected as: BDS/Haxdoor.GJ.4

%SYSDIR%\avload32.dll Further investigation pointed out that this file is malware, too. Detected as: BDS/Haxdoor.GJ.2

 Registry The following registry keys are added in order to load the service after reboot:

– [HKLM\SYSTEM\CurrentControlSet\Services\wnlogow]
   • Type = dword:00000001
   • Start = dword:00000001
   • ErrorControl = dword:00000000
   • ImagePath = \??\%SYSDIR%\wnlogow.sys
   • DisplayName = BLUETOOTH IPv4 service

– [HKLM\SYSTEM\CurrentControlSet\Services\wnlogow\Security]
   • Security = %hex values%

– [HKLM\SYSTEM\CurrentControlSet\Services\wnlogow\Enum]
   • 0 = Root\\LEGACY_WNLOGOW\\0000
   • Count = dword:00000001
   • NextInstance = dword:00000001

– [HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WNLOGOW]
   • NextInstance = dword:00000001

– [HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WNLOGOW\0000]
   • Service = wnlogow
   • Legacy = dword:00000001
   • ConfigFlags = dword:00000000
   • Class = LegacyDriver
   • ClassGUID = {8ECC055D-047F-11D1-A537-0000F8753ED1}
   • DeviceDesc = BLUETOOTH IPv4 service
   • Capabilities = dword:00000000

– [HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WNLOGOW\0000\
   Control]
   • *NewlyCreated* = dword:00000000
   • ActiveService = wnlogow



It creates the following entry in order to bypass the Windows XP firewall:

– [HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\AuthorizedApplications\List]
   • %WINDIR%\Explorer.EXE = %WINDIR%\Explorer.EXE:*:Enabled:explorer



The following registry key is added:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
   avload32]
   • DllName = avload32.dll
   • Startup = avload32
   • Impersonate = dword:00000001
   • Asynchronous = dword:00000001
   • MaxWait = dword:00000001
   • keyR2 = [%random character string%]



The following registry key is changed:

Various Explorer settings:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
   Old value:
   • WarnOnZoneCrossing = %user defined settings%
   • WarnOnPostRedirect = %user defined settings%
   • WarnOnBadCertRecving = %user defined settings%
   New value:
   • WarnOnZoneCrossing = dword:00000000
   • WarnOnPostRedirect = dword:00000000
   • WarnOnBadCertRecving = dword:00000000

 Backdoor The following ports are opened:

– winlogon.exe on TCP port 9066 in order to provide a proxy server.
– winlogon.exe on TCP port 9067 in order to provide a Socks 5 proxy server.


Contact server:
The following:
   • http://www.superstability.info/forte/**********

This is done via the HTTP GET and POST method using a PHP script.


Sends information about:
    • Current malware status
    • Opened port
    • Collected information described in stealing section


Remote control capabilities:
    • Start keylog

 Stealing It tries to steal the following information:
– Passwords typed into 'password input fields'
– Recorded passwords used by the AutoComplete function
– Email account information obtained from the registry key: HKCU\Software\Microsoft\Internet Account Manager\Accounts

– Passwords from the following programs:
   • Opera
   • ICQ
   • The Bat
   • Outlook Express
   • MSN Messenger
   • MyIE
   • Mozilla
   • Maxthon
   • Miranda

– A logging routine is started after a website is visited:
   • %any website that contains a login form%

– It captures:
    • Window information
    • Login information

 Injection –  It injects the following file into a process: %SYSDIR%\avload32.dll

    Process name:
   • explorer.exe

   If successful, the malware process terminates while the injected part remains active.

 Rootkit Technology It is a malware-specific technology. The malware hides its presence from system utilities, security applications and in the end, from the user.


Hides the following:
– Its own files


Method used:
    • Hidden from Windows API

 File details Programming language:
 The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • FSG

Description inserted by Andrei Gherman on Friday, February 3, 2006
Description updated by Andrei Gherman on Friday, February 3, 2006

Back . . . .