Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:27/07/2006
Type:Backdoor Server
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:88.576 Bytes
MD5 checksum:f2c34a56a33ee7a22e77a217f5c9e92b
VDF version:
IVDF version:

 General Method of propagation:
   • No own spreading routine

   •  Mcafee: BackDoor-DIZ
   •  Kaspersky: Backdoor.Win32.HacDef.fw
   •  F-Secure: Backdoor.Win32.HacDef.fw
   •  Sophos: Troj/HacDef-DJ
   •  Bitdefender: Backdoor.Hacdef.AG

Platforms / OS:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Uses its own Email engine
   • Registry modification
   • Steals information
   • Third party control

 Registry The following registry keys are added in order to load the services after reboot:

   • "Type"=dword:00000010
   • "Start"=dword:00000002
   • "ErrorControl"=dword:00000000
   • "ImagePath"="%malware execution directory%\%executed file% /service"
   • "DisplayName"="Print Spooler Service"
   • "ObjectName"="LocalSystem"

   • "0"="Root\LEGACY_SPOOLSVC227\0000"
   • "Count"=dword:00000001
   • "NextInstance"=dword:00000001

   • "Security"=%hex values%

The following registry key is changed:

   Old value:
   • "(default)"=dword:0000000d
   New value:
   • "(default)"=dword:0000000e

 Backdoor Contact server:
One of the following:
   • 143.215.**********:447(UDP)
   • 143.215.**********:447(UDP)
   • 207.44.**********:447(UDP)

As a result it may send information and remote control could be provided. Besides, it periodically repeats the connection.

 Miscellaneous Mutex:
It creates the following Mutex:
   • 135363240

 File details Programming language:
The malware program was written in MS Visual C++.

Description inserted by Teodor Onisor on Monday, October 2, 2006
Description updated by Teodor Onisor on Monday, October 2, 2006

Back . . . .