Virus:BDS/Haxdoor.KG
Date discovered:16/08/2006
Type:Backdoor Server
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:62.825 Bytes
MD5 checksum:A06F64CC3047015B82E15005512C47BF
VDF version:6.35.01.99
IVDF version:6.35.01.100 - Wednesday, August 16, 2006

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Symantec: Backdoor.Haxdoor.O
   •  Mcafee: BackDoor-BAC
   •  Kaspersky: Backdoor.Win32.Haxdoor.kg
   •  TrendMicro: BKDR_HAXDOOR.IE
   •  Sophos: Troj/Haxdoor-DA
   •  VirusBuster: Backdoor.Haxdoor.JU
   •  Bitdefender: Backdoor.Haxdoor.KG


Platforms / OS:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Disable security applications
   • Drops files
   • Drops malicious files
   • Lowers security settings
   • Records keystrokes
   • Registry modification
   • Steals information
   • Third party control

 Files  It creates the following directory:
   • W01083060Z



The following files are created:

– Non malicious files:
   • %SYSDIR%\kgctini.dat
   • %SYSDIR%\lps.dat

%SYSDIR%\kps001.sys This is a non malicious text file with the following content:
   • %stolen information%

%SYSDIR%\ydsvgd.sys Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: BDS/Haxdoor.JU.1

%SYSDIR%\qo.sys Further investigation pointed out that this file is malware, too. Detected as: BDS/Haxdoor.JU.1

%SYSDIR%\ycsvgd.sys Further investigation pointed out that this file is malware, too. Detected as: BDS/Haxdoor.JU.1

%SYSDIR%\qo.dll Further investigation pointed out that this file is malware, too. Detected as: TR/PSW.PdPi.CT.1.D

%SYSDIR%\ydsvgd.dll Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: TR/PSW.PdPi.CT.1.D

 Registry The following registry keys are added in order to load the service after reboot:

– [HKLM\SYSTEM\CurrentControlSet\Services\ycsvgd]
   • "Type"=dword:00000001
   • "Start"=dword:00000001
   • "ErrorControl"=dword:00000000
   • "ImagePath"=hex(2):%SYSDIR%\ycsvgd.sys
   • "DisplayName"="NDIS OSI"

– [HKLM\SYSTEM\CurrentControlSet\Services\ycsvgd\Security]
   • "Security"=hex:%hex values%

– [HKLM\SYSTEM\CurrentControlSet\Services\ycsvgd\Enum]
   • "0"="Root\\LEGACY_YCSVGD\\0000"
   • "Count"=dword:00000001
   • "NextInstance"=dword:00000001



The values of the following registry keys are removed:

–  [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess]
   • Start

–  [HKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Services\wscsvc]
   • Start

–  [HKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Services\VFILT]
   • Start



It creates the following entry in order to bypass the Windows XP firewall:

– [HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\AuthorizedApplications\List]
   • "%WINDIR%\Explorer.EXE"="%WINDIR%\Explorer.EXE:*:Enabled:explorer"



The following registry keys are added:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
   ydsvgd]
   • "MaxWait"=dword:00000001
   • "Asynchronous"=dword:00000001
   • "Impersonate"=dword:00000001
   • "Startup"="XWD33Sifix"
   • "CID"="[%random character string%]"

– [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ycsvgd.sys]
   • "(Default)"="Driver"

– [HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\ycsvgd.sys]
   • "(Default)"="Driver"



The following registry key is changed:

– [HKLM\SYSTEM\ControlSet001\Control\Session Manager\
   Memory Management]
   New value:
   • "EnforceWriteProtection"=dword:00000000

 Email It doesn't have its own spreading routine but it has the ability to send an email. It is most likely that the receiver is the author. The characteristics are described below:


From:
The sender of the email is the following:
   • %current username% %IP address%


To:
The recipient of the email is the following:
   • HAXOR


Subject:
The following:
   • *%random character string%*



Body:
The body of the email is the following:
   • %stolen information%

 Process termination List of processes that are terminated:
   • zapro.exe
   • atrack.exe
   • FwAct.exe
   • iamapp.exe
   • jamapp.exe
   • mpfagent.exe
   • mpftray.exe
   • outpost.exe
   • vsmon.exe
   • zlclient.exe


 Backdoor The following ports are opened:

– explorer.exe on TCP port 16661 in order to provide backdoor capabilities.
– explorer.exe on a random TCP port in order to provide a proxy server.
– explorer.exe on a random TCP port in order to provide a Socks 4 proxy server.


Contact server:
The following:
   • www.grci.info/**********

As a result it may send some information. This is done via the HTTP GET and POST method using a PHP script.


Sends information about:
    • Current malware status
    • Malware uptime
    • Opened port
    • Collected information described in stealing section


Remote control capabilities:
    • Execute file
    • Send emails
    • Start keylog
    • Visit a website

 Stealing It tries to steal the following information:
– Recorded passwords used by the AutoComplete function
– Email account information obtained from the registry key: HKCU\Software\Microsoft\Internet Account Manager\Accounts

– Passwords from the following programs:
   • ICQ
   • Inetcomm Server
   • Internet Explorer
   • Opera
   • Outlook Express
   • Myle
   • Mozilla
   • MSN
   • Mirabilis
   • Miranda
   • The Bat
   • WebMoney

– A logging routine is started after a website is visited:
   • https://www.e-gold.com/acct/ai.asp?c=AS

– A logging routine is started after the following website is visited, which contains one of the following substrings in the URL:
   • Ebay
   • E-gold
   • Paypal

– It captures:
    • Keystrokes
    • Window information

 Injection –  It injects the following file into a process: %SYSDIR%\ydsvgd.dll

    All of the following processes:
   • explorer.exe
   • %all processes started after malware is active in memory%



Purpose:
Access to the following websites is effectively blocked:
   • avp.ch; avp.com; avp.ru; awaps.net; customer.symantec.com;
      dispatch.mcafee.com; download.mcafee.com; engine.awaps.net;
      f-secure.com; ftp.kaspersky.ru; ftp.sophos.com; kaspersky-labs.com;
      kaspersky.com; kaspersky.ru; liveupdate.symantec.com;
      liveupdate.symantecliveupdate.com; mast.mcafee.com; mcafee.com;
      my-etrust.com; networkassociates.com; phx.corporate-ir.net;
      rads.mcafee.com; securityresponse.symantec.com; service1.symantec.com;
      sophos.com; spd.atdmt.com; symantec.com; trendmicro.com; u2.eset.com;
      update.symantec.com; updates.drweb-online.com; updates.symantec.com;
      us.mcafee.com; virustotal.com


 Rootkit Technology It is a malware-specific technology. The malware hides its presence from system utilities, security applications and in the end, from the user.


Hides the following:

– The following files:
   • ycsvgd.sys
   • shsvga.bin
   • qo.sys
   • ydsvgd.sys
   • qo.dll
   • ydsvgd.dll
   • gsvga.bin
   • mnsvgas.bin
   • lps.dat
   • ttsvga.dat
   • t001f.exd
   • wagfola4w.dat
   • shsvga.bin

– The following process:
   • explorer.exe


Method used:
    • Hidden from Windows API

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • FSG 2.0

Description inserted by Iulia Diaconescu on Thursday, August 17, 2006
Description updated by Iulia Diaconescu on Tuesday, August 29, 2006

Back . . . .