Full description

Virus:	TR/Haxdoor.IN
Date discovered:	01/05/2006
Type:	Trojan
In the wild:	No
Reported Infections:	Low
Distribution Potential:	Low
Damage Potential:	Medium
Static file:	Yes
File size:	54.406 Bytes
MD5 checksum:	c4b6955867625a7e926ccba29bf731f3
VDF version:	6.34.01.25

General Method of propagation:
   • No own spreading routine

Aliases:
   • Symantec: Backdoor.Haxdoor.J
   • Mcafee: BackDoor-BAC
   • Kaspersky: Backdoor.Win32.Haxdoor.in
   • TrendMicro: BKDR_HAXDOOR.GM
   • Bitdefender: Backdoor.Haxdoor.II

It was previously detected as:
   • BDS/Haxdoor.IN

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Blocks access to security websites
   • Disable security applications
   • Drops malicious files
   • Uses its own Email engine
   • Lowers security settings
   • Registry modification
   • Steals information
   • Third party control

Files It deletes the following file:
   • %HOME%\Start Menu\Programs\Startup\winupdt.exe

The following files are created:

– A file that is for temporary use and it might be deleted afterwards:
   • %WINDIR%\dt163.dt

– %SYSDIR%\ps.a3d This is a non malicious text file with the following content:
   • %stolen information%

– %SYSDIR%\sndu32.dll Further investigation pointed out that this file is malware, too. Detected as: TR/Spy.Goldu.FT.1.A

– %SYSDIR%\qm.dll Further investigation pointed out that this file is malware, too. Detected as: TR/Spy.Goldu.FT.1.A

– %SYSDIR%\sndu64.sys Further investigation pointed out that this file is malware, too. Detected as: BDS/Haxdoor.GK

– %SYSDIR%\qm.sys Further investigation pointed out that this file is malware, too. Detected as: BDS/Haxdoor.GK

– %SYSDIR%\stt82.ini
– %SYSDIR%\config\SSL

Registry The following registry keys are added in order to load the services after reboot:

– [HKLM\SYSTEM\CurrentControlSet\Services\sndu64]
   • Type = 1
   • Start = 1
   • ErrorControl = 0
   • ImagePath = \??\%SYSDIR%\sndu64.sys

– [HKLM\SYSTEM\CurrentControlSet\Services\sndu64\Security]
   • Security = %hex values%

– [HKLM\SYSTEM\CurrentControlSet\Services\sndu64\Enum]
   • 0 = Root\LEGACY_SNDU64\0000
   • Count = 1
   • NextInstance = 1

– [HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SNDU64]
   • NextInstance = 1

– [HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SNDU64\0000]
   • Service = sndu64
   • Legacy = 1
   • ConfigFlags = 0
   • Class = LegacyDriver
   • ClassGUID = {8ECC055D-047F-11D1-A537-0000F8753ED1}
   • DeviceDesc = SoundDriver SDB64

– [HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SNDU64\0000\
   Control]
   • *NewlyCreated* = 0
   • ActiveService = sndu64

– [HKLM\SYSTEM\CurrentControlSet\Services\sndu32\Security]
   • Security = %hex values%

– [HKLM\SYSTEM\CurrentControlSet\Services\sndu32\Enum]

The values of the following registry keys are removed:

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess]
   • Start

– [HKLM\SYSTEM\CurrentControlSet\Services\wscsvc]
   • Start

– [HKLM\SYSTEM\CurrentControlSet\Services\VFILT]
   • Start

It creates the following entry in order to bypass the Windows XP firewall:

– [HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\AuthorizedApplications\List]
   • %WINDIR%\Explorer.EXE = %WINDIR%\Explorer.EXE:*:Enabled:explorer

The following registry keys are added:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
   sndu32]
   • secureUID = [%several random digits%]
   • DllName = sndu32.dll
   • Startup = MMXChckIDT
   • Impersonate = 1
   • Asynchronous = 1
   • MaxWait = 1

– [HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sndu32.sys]
   • @ = Driver

– [HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sndu64.sys]
   • @ = Driver

The following registry key is changed:

– [HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\
   Memory Management]
   New value:
   • EnforceWriteProtection = 0

Process termination List of processes that are terminated:
   • zapro.exe
   • vsmon.exe
   • jamapp.exe
   • atrack.exe
   • iamapp.exe
   • FwAct.exe
   • mpfagent.exe
   • outpost.exe
   • zlclient.exe
   • mpftray.exe

List of services that are disabled:
   • Security Center
   • Windows Firewall/Internet Connection Sharing (ICS)
   • Outpost Firewall

Backdoor The following port is opened:

– explorer.exe on TCP port 19870 in order to provide backdoor capabilities.

Contact server:
All of the following:
   • http://www.crypttrafic.com/**********
   • http://www.crypttrafic.com/**********
   • http://www.crypttrafic.com/**********
   • http://www.crypttrafic.com/**********

As a result it may send information and remote control could be provided.

Sends information about:
    • Created logfiles
    • IP address
    • Malware uptime
    • Opened port
    • Collected information described in stealing section
    • Username
    • Information about the Windows operating system

Remote control capabilities:
    • Kill process
    • Send emails
    • Start keylog

Stealing It tries to steal the following information:
– Email account information obtained from the registry key: HKCU\Software\Microsoft\Internet Account Manager\Accounts

– Passwords from the following programs:
   • Internet Explorer
   • MyIE
   • Mozilla
   • The Bat
   • Outlook Express
   • MSN
   • ICQ
   • Opera
   • WebMoney
   • Miranda

– A logging routine is started after one of the following websites are visited:
   • Ebay
   • E-gold
   • Paypal

– It captures:
    • Login information

Injection – It injects the following file into a process: %SYSDIR%\sndu32.dll

    All of the following processes:
   • explorer.exe
   • iexplore.exe
   • opera.exe
   • myie.exe
   • mozilla.exe
   • thebat.exe
   • outlook.exe
   • msn.exe
   • icq.exe
   • %all processes started after malware is active in memory%

Access to the following websites is redirected:
   • avp.ch; avp.com; avp.ru; awaps.net; customer.symantec.com;
      dispatch.mcafee.com; download.mcafee.com;
      downloads1.kaspersky-labs.com; downloads1.kaspersky-labs.com;
      downloads1.kaspersky-labs.com; downloads2.kaspersky-labs.com;
      downloads3.kaspersky-labs.com; downloads4.kaspersky-labs.com;
      downloads-us1.kaspersky-labs.com; downloads-us2.kaspersky-labs.com;
      downloads-us3.kaspersky-labs.com; engine.awaps.net; f-secure.com;
      ftp.avp.ch; ftp.downloads2.kaspersky-labs.com; ftp.f-secure.com;
      ftp.kasperskylab.ru; ftp.kaspersky.ru; d-ru-1f.kaspersky-labs.com;
      d-ru-2f.kaspersky-labs.com; d-eu-1f.kaspersky-labs.com;
      d-eu-2f.kaspersky-labs.com; d-us-1f.kaspersky-labs.com;
      ftp.sophos.com; ids.kaspersky-labs.com; kaspersky.com;
      kaspersky-labs.com; liveupdate.symantec.com; liveupdate.symantec.com;
      liveupdate.symantec.com; liveupdate.symantecliveupdate.com;
      liveupdate.symantecliveupdate.com; mast.mcafee.com; mcafee.com;
      my-etrust.com; networkassociates.com; phx.corporate-ir.net;
      rads.mcafee.com; securityresponse.symantec.com; service1.symantec.com;
      sophos.com; spd.atdmt.com; symantec.com; trendmicro.com;
      update.symantec.com; updates.symantec.com;
      updates1.kaspersky-labs.com; updates1.kaspersky-labs.com;
      updates2.kaspersky-labs.com; updates3.kaspersky-labs.com;
      updates3.kaspersky-labs.com; updates4.kaspersky-labs.com;
      updates5.kaspersky-labs.com; us.mcafee.com; virustotal.com

Rootkit Technology It is a malware-specific technology. The malware hides its presence from system utilities, security applications and in the end, from the user.

Hides the following:

– The following files:
   • sndu32.dll
   • qm.sys
   • qm.dll
   • stt82.ini
   • maskstt.a3d
   • tnstt.a3d
   • redir.a3d
   • redir2.a3d
   • wmx.a3d

– The following process:
   • explorer.exe

Method used:

Hooks the following API functions:
   • NtCreateProcess
   • NtCreateProcessEx
   • NtOpenProcess
   • NtOpenThread
   • NtQueryDirecotryFile
   • NtQuerySystemInformation

File details In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Andrei Gherman on Thursday, May 4, 2006
Description updated by Andrei Gherman on Friday, May 5, 2006

Back . . . .

Featured PC protection

Free products

Most popular

All products

Bundled Solutions

Workstation

Server

Bundled Solutions

Mail Gateways

Web Gateways

Collaboration Platforms

Home Products

Business Products

Virus Lab

More Support

Become an Avira Partner

Home Products

Business Products

Just want to evaluate a product?

Manuals and Tools