Haxdoor.KG is a powerful backdoor with rootkit capabilities. It can hide its presence, processes and files, on an infected system so that it can be only detected using either an anti-virus application with kernel drivers or a rootkit detector.
This backdoor has spying capabilities and it has lately been used to steal logon credentials and passwords.
When Haxdoor.KG is executed, it drops the following files into the Windows System32 folder:
Haxdoor.KG injects itself to the following applications:
In addition to this, Haxdoor.KG will block the connection of the following security-related websites.
Haxdoor.KG also terminates the following security-related processes:
It acquires passwords stored in Protected Storage. This is done using a single API call. Below are passwords stored in Protected Storage:
It also steals the following Outlook Express logon credentials:
Haxdoor.KG rips logon credentials used for the The Bat! e-mail client. It will query the install directory of The Bat! in the registry. When the directory is found, it will search for the file account.cfg on the said install directory of the The Bat!. This is a very old known issue in The Bat! e-mail client, where logon credentials are saved as plain text in the account.cfg file.
This backdoor can also steal cached, Miranda ICQ, Mirabilis ICQ, Webmoney and MDialer passwords and as well as MDialer and RAS phone numbers and other info related to RAS (username, password, domain, DNS settings).
Like other Haxdoor Variants, this backdoor can steal logon credentials from the following online payment systems:
The backdoor can also connect to a website with a specially constructed URL to notify a hacker. All of the passwords stolen will be sent to:
- through an HTTP POST request.
Below are the log files of data packets used and saved in Windows System folder.
The passwords collected will be encrypted using simple XOR routine and will be saved to the following file on Windows System directory:
Haxdoor.KG opens TCP port 16661 so that a remote hacker can connect to the compromised machine.
Before the remote hacker can perform any malicious actions on the compromised machine, he should first give a password. When the correct password is entered, he will receive the text string: "A-311 Death welcome".
Below are the commands that a remote hacker can perform:
During installation, it creates the following registry key for its auto-start mechanism:
Haxdoor.KG creates the following registry keys so that even during a Safe Mode boot the malware will run:
The HKLM modification allows the backdoor to start when a user logs on. It also sets to '0' the value EnforceWriteProtection under the key:
This will disable the kernel's memory write protection for the computer.
This malware also disables Firewall services by deleting the following registry values:
Note: wscsvc and ShareAccess is for Windows Firewall service and VFILT is for Outpost Firewall
After this, it will start the following services that will also be automatically started every time that the system is booted: