|
|
|  |
|
|
|
|
F-Secure Malware Information Pages: Haxdoor
|
|
|
| Radar |
 |
|
|
|
Summary
|
| Haxdoor is a powerful backdoor with rootkit capabilities. It can hide its presence, processes and files, on an infected system, so that it can only be detected by antivirus programs that uses kernel drivers and by rootkit detectors such as F-Secure BlackLight. This backdoor has spying capabilities and according to reports, it has been used to steal bank-related information, logins and passwords for online bank accounts, and other information. |
|
|
|
Detailed Description
|
When the backdoor's file, CMD.EXE, is run, it drops seven hidden files to the Windows System folder:
- cm.dll
- draw32.dll
- hm.sys
- memlow.sys
- vdnt32.sys
- vtd_16.exe
- wd.sys
These files are activated only on the next system reboot. When the backdoor is active, all its files are hidden. Moreover, the backdoor tries to inject its code into the Windows Explorer process and hides both 'Explorer.exe' and 'Winlogon.exe' processes. However, our F-Secure BlackLight Rootkit Eliminator can successfully find and remove the backdoor.
The "vtd_16.exe" file is a Windows CMD.EXE and it is run by the backdoor as a decoy. The backdoor's name is CMD.EXE, so it runs a command interpreter to hide its other activities.
The "cm.dll" and "draw32.dll" files are identical. They represent the main component of the backdoor. The Winlogon Notification key for the "draw32.dll" file is added to the Registry:
- [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\draw32]
This allows the backdoor to start when a user logs on. The way of starting these files used by this malware are quite rare.
The backdoor is quite powerful (see below) and it has the password stealing capabilities. The backdoor contains the following strings and it can steal login and password information that the users keys in from different online banks and payment systems:
- alpha.gr
- authorize
- banc
- bank
- banq
- Barclays
- business
- cdb
- citi
- coopcb
- fbme
- gold
- halifax
- HSBC
- ikobo
- merchant
- moneybookers
- sgcyprus
- trade
- VeriSign
In addition, the backdoor can steal the following info:
- POP3 password
- POP3 server name
- POP3 user name
- IMAP password
- IMAP server name
- IMAP user name
Also, the backdoor can steal cached, Miranda ICQ, MDialer and Webmoney passwords, as well as MDialer and RAS phone numbers and other info related to RAS (username, password, domain, DNS settings).
All stolen data is sent to "corpse@mailserver.ru" address by e-mail. The backdoor can also connect to a website with a specially constructed URL to notify a hacker and it can also post data to a website. The website name is configured by a hacker.
The backdoor can modify settings of Internet Explorer:
- Default search URL
- First homepage
- Local page
- Search page
- Start page
The backdoor can be controlled by an IRC bot. When the active backdoor joins the "#corpse" channel on the "irc.localirc.net" server, the backdoor supports several commands that allows the hacker to do any of the following:
- join a channel
- kill bot
- change nick
- run files
- download files
- start a backdoor
- start a proxy
- start DDOS attack
- get local drives info
- sends e-mails
- list directories
- find files
- reboot a computer
- get info about a user
- update the backdoor's file from a webserver
As a payload, the backdoor disables certain firewalls and terminates the following processes:
- atrack.exe
- FwAct.exe
- iamapp.exe
- jamapp.exe
- mpfagent.exe
- mpftray.exe
- outpost.exe
- vsmon.exe
- zapro.exe
- zlclient.exe
Amusingly, the backdoor can still play such dumb tricks on a user such as opening and closing the CD-ROM drive.
Variant Descriptions:
Haxdoor.KG
Haxdoor.KI
Haxdoor.M |
|
|
|
|
F-Secure Corporation |
|
|
|
|
|
Last Modified: January 01, 2006
|
|
|
|
|
