Threat Description

Backdoor:​W32/Haxdoor.KI

Details

Aliases: Haxdoor.KI
Category: Malware
Type: Backdoor
Platform: W32

Summary



A remote administration utility which bypasses normal security mechanisms to secretly control a program, computer or network.



Removal



Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details



Backdoor:W32/Haxdoor.KI is a powerful backdoor with rootkit and spying capabilities. It can hide its presence, processes and files, on an infected system.

Update - August 25 2006:

The Russia-based skyinet.info website that the backdoor connects to offers a URL that points to a file named samki.exe.

This file contains a nasty payload that damages Windows beyond repair (it renames several files that represent the key Windows components, for example kernel32.dll, explorer.exe and so on, and destroys the Registry database). After system restart, Windows becomes unbootable and damaged beyond repair.

This file can be downloaded and launched by a hacker to destroy all infected computers when the time comes. We have added detection for the payload file into the 2006-08-25_04 update.

Amusingly, Haxdoor.KI can still play such dumb tricks on a user as opening and closing of CD-ROM tray. This is a heritage from the older backdoors like Deep Throat, NetBus, SubSeven and others.

Update - 17 August 2006:

We received numerous reports of Haxdoor.KIbeing spammed as an e-mail attachment, in an archive file named rakningen.zip. The backdoor's file, located inside the archive, is named rakningen.exe (Swedish language) We also have a report that it was spammed inside an archive named rechnung.zip as rechnung.exe. (German language).

Propagation

HaxDoor.KI was spammed to a large amount of people in e-mail messages with the following characteristics:

Subject: Rakningen
 
 Message Body:
 BÆ’aste Kund!
 RÆ’akningen
 Filerna Æ’ar bifogade som en bilaga och kan vidarebefordras tillsammans med detta meddelande.
 Jag anvÆ’ander en gratis version av SPAMfighter som har fram till nu raderat 227 SPAM-brev.
 SPAMfighter Æ’ar helt fri fÆ’¶r privatbruk.
 Det kan provas nu och gratis: TRYCK HÆ’?R

Attachment: rakningen.zip

We also have a report that it was spammed as rechnung.exe inside an archive named rechnung.zip attached to a message in German.

Subject: Rechnung
 
 Message Body:
 Sehr geehrte Kundin, sehr geehrter Kunde
 Rechnung
 Die Dateien wurden als Anhang eingefugt und konnen jetzt mit dieser Nachricht gesendet werden.
 
Attachment: rechnung.zip

Installation

When the backdoor's file (rechnung.exe or rakningen.exe) is run, it silently drops 5 files to the Windows System folder:

  • qo.dll
  • qo.sys
  • xdpptp.sys
  • xopptp.dll
  • xopptp.sys

The DLL files are identical to each other, as are the SYS files. During its operation the backdoor creates several different files where it stores stolen data. Those files are encrypted.

When the backdoor is active, all its files are hidden with the help of rootkit techniques. Also, if the backdoor injected its code into the Windows Explorer process, it hides the Explorer.exe process. Otherwise if the backdoor started as a component of the Winlogon process, usually after a system reboot, it hides the Winlogon.exe process. Our BlackLight Rootkit Eliminator as well as F-Secure products that have an anti-rootkit engine, for example F-Secure Internet Security 2006, can detect and remove the backdoor successfully.

Registry

The DLL files represent the main backdoor's components. To make sure that the backdoor is started every time Windows boots, the Winlogon Notification key for the backdoor's "xopptp.dll" file is added into the Registry:

  • [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\xopptp]

This allows the backdoor to start even before a user logs on. Also the backdoor's driver, a file named xdpptp.sys, is registered as a system driver to be loaded even in the minimal configuration (Safe Boot):

  • [HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\xdpptp.sys]
  • [HKLM\System\CurrentControlSet\Control\SafeBoot\Network\xdpptp.sys]
  • [HKLM\System\ControlSet00?\Control\SafeBoot\Minimal\xdpptp.sys]
  • [HKLM\System\ControlSet00?\Control\SafeBoot\Network\xdpptp.sys]

In addition, the backdoor's driver can be registered as a service with the following attributes:

  • Name: xdpptp
  • Display name: YVPB video output
  • File: %WinSysDir%\xdpptp.sys

Where %WinSysDir% represents Windows System directory (usually C:\Windows\System32\).

Activity

It looks like the main purpose of this backdoor, that was created by the virus writer who calls himself 'Corpse', is spying against the users of infected computers.

The stolen info, which includes various logins, passwords, on-line payment systems account details and so on, is sent to a hacker, who can (and probably does) sell it to other criminals.

At the same time the extensive backdoor capabilities and the set of remote control tools that is offered by the virus writer on a commercial basis, makes this malware suitable for spammers, phishers and other computer criminals.

The backdoor collects and sends the following information to a hacker:

  • IMAP passwords
  • IMAP server name
  • IMAP user name
  • Inetcomm server passwords
  • Outlook account passwords
  • POP passwords
  • POP server name
  • POP user name
  • Protected storage passwords
  • The Bat! passwords
  • Windows registration info

The backdoor can also steal cached MSN, Miranda, ICQ and Webmoney passwords as well as RAS phone numbers and other info related to RAS (username, password, domain, DNS settings).

The backdoor monitors web forms accessed from the infected machine. If the URL or the data inside of the web pages match to a fixed list of online bank-related keywords, then the backdoor will post the content of the form to a server via a web site at the address of skynet.info.

In addition, the backdoor can steal information related to E-Gold, Ebay, and PayPay accounts. These services are widely used for online payments around the world.

Being active, the backdoor injects itself into the processes with the following names:

  • explorer.exe
  • icq.exe
  • iexplore.exe
  • mozilla.exe
  • msn.exe
  • myie.exe
  • opera.exe
  • outlook.exe
  • thebat.exe

The backdoor listens on TCP port 16661 for commands from a remote host. A hacker can connect to that port and control the backdoor's behaviour. The backdoor allows a hacker to do any of the following:

  • Upload a specified file to a hacker
  • Download a file from a specified location
  • View contents of a specified file
  • Find any specified file (masks supported)
  • Start any specified file
  • List files and directories
  • Create directories with specified names
  • Send an e-mail with a specified text
  • Show a messagebox with a specified text
  • Full access to Windows Registry
  • Enable or disable keylogger, check keylogger status
  • Copy data to and from clipboard
  • Set cursor position
  • Enable or disable keyboard
  • Copy, delete, move, get and set attributes to a specified file
  • List and kill processes, set priority for a specified process
  • Enable and disable hard disks and floppy drives
  • Get and set local time
  • Set doubleclick time
  • Swap mouse buttons
  • Take a screenshot from a desktop
  • Play specified media files
  • Show specified bitmap files
  • Change a title of a specified window
  • Send a message to any application window
  • Create and start services
  • Play a beep sound
  • Log off, shutdown and restart Windows
  • Change color scheme
  • Open or close CD-ROM tray
  • Unload from memory or uninstall itself from a computer
  • Password authentication for a backdoor operator
  • Get information about an infected system
  • Hide additional files and processes (uses a driver)
  • Start HTTP proxy server listening on TCP port 8008
  • Start SOCKS v4/5 proxy server listening on TCP port 7080

The backdoor also starts a command shell (cmd.exe) listening on TCP port 16016.

The backdoor blocks connections from an infected computer to the following sites that mostly belong to anti-virus vendors:

  • avp.ch
  • avp.com
  • avp.ru
  • awaps.net
  • customer.symantec.com
  • dispatch.mcafee.com
  • download.mcafee.com
  • engine.awaps.net
  • f-secure.com
  • ftp.kaspersky.ru
  • ftp.sophos.com
  • kaspersky.com
  • kaspersky.ru
  • kaspersky-labs.com
  • liveupdate.symantec.com
  • liveupdate.symantecliveupdate.com
  • mast.mcafee.com
  • mcafee.com
  • my-etrust.com
  • networkassociates.com
  • phx.corporate-ir.net
  • rads.mcafee.com
  • securityresponse.symantec.com
  • service1.symantec.com
  • sophos.com
  • spd.atdmt.com
  • symantec.com
  • trendmicro.com
  • u2.eset.com
  • update.symantec.com
  • updates.drweb-online.com
  • updates.symantec.com
  • us.mcafee.com
  • virustotal.com

In addition, it terminates the following security-relayed processes:

  • atrack.exe
  • FwAct.exe
  • iamapp.exe
  • jamapp.exe
  • mpfagent.exe
  • mpftray.exe
  • outpost.exe
  • vsmon.exe
  • zapro.exe
  • zlclient.exe

The backdoor disables the VFILT and WSCSVC services to bypass Outpost and Windows Firewalls.

And finally, the backdoor can modify the following settings of Internet Explorer:

  • Default search URL
  • First homepage
  • Local page
  • Search page
  • Start page


Detection


F-Secure Anti-Virus detects this malware with the the following updates:
Detection Type: PC
Database: 2006-08-17_02




SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Scan & clean your PC

F-Secure Online Scanner will scan and clean your PC in just a few minutes for free

Learn More