Threat description




A remote administration utility which bypasses normal security mechanisms to secretly control a program, computer or network.


Automatic action

Depending on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the suspect file, or ask you for a desired action.

More scanning & removal options

More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.

Technical Details

Haxdoor.KG is a powerful backdoor with rootkit capabilities. It can hide its presence, processes and files, on an infected system so that it can be only detected using either an anti-virus application with kernel drivers or a rootkit detector.

This backdoor has spying capabilities and it has lately been used to steal logon credentials and passwords.


When Haxdoor.KG is executed, it drops the following files into the Windows System32 folder:

  • qo.dll
  • qo.sys
  • ycsvgd.sys
  • ydsvgd.dll
  • ydsvgd.sys

Haxdoor.KG injects itself to the following applications:

  • explorer.exe
  • icq.exe
  • iexplore.exe
  • mozilla.exe
  • msn.exe
  • opera.exe
  • outlook.exe
  • thebat.exe

In addition to this, Haxdoor.KG will block the connection of the following security-related websites.

  • liveupdate

Haxdoor.KG also terminates the following security-related processes:

  • atrack.exe
  • FwAct.exe
  • iamapp.exe
  • jamapp.exe
  • mpfagent.exe
  • mpftray.exe
  • outpost.exe
  • vsmon.exe
  • zapro.exe
  • zlclient.exe

It acquires passwords stored in Protected Storage. This is done using a single API call. Below are passwords stored in Protected Storage:

  • Deleted Outlook account passwords
  • Internet Explorer auto-complete Fields in WIn 9x for dialup cached passwords
  • Internet Explorer auto-complete passwords
  • Internet Explorer password-protected sites passwords
  • MSN Explorer signup passwords
  • Outlook passwords

It also steals the following Outlook Express logon credentials:

  • IMAP password
  • IMAP server name
  • IMAP user name
  • POP3 password
  • POP3 server name
  • POP3 user name

Haxdoor.KG rips logon credentials used for the The Bat! e-mail client. It will query the install directory of The Bat! in the registry. When the directory is found, it will search for the file account.cfg on the said install directory of the The Bat!. This is a very old known issue in The Bat! e-mail client, where logon credentials are saved as plain text in the account.cfg file.

This backdoor can also steal cached, Miranda ICQ, Mirabilis ICQ, Webmoney and MDialer passwords and as well as MDialer and RAS phone numbers and other info related to RAS (username, password, domain, DNS settings).

Like other Haxdoor Variants, this backdoor can steal logon credentials from the following online payment systems:

  • e-bay
  • e-gold
  • paypal

The backdoor can also connect to a website with a specially constructed URL to notify a hacker. All of the passwords stolen will be sent to:


- through an HTTP POST request.

Below are the log files of data packets used and saved in Windows System folder.

  • gsgva.bin
  • kgctini.dat
  • mnsvga.bin
  • tnstt.exd
  • ttsvga.dat
  • wmx.exd

The passwords collected will be encrypted using simple XOR routine and will be saved to the following file on Windows System directory:

  • lps.dat

Haxdoor.KG opens TCP port 16661 so that a remote hacker can connect to the compromised machine.

Before the remote hacker can perform any malicious actions on the compromised machine, he should first give a password. When the correct password is entered, he will receive the text string: "A-311 Death welcome".

Below are the commands that a remote hacker can perform:

  • Add/Delete registry keys/values
  • Close the connection
  • Copy/Delete clipboard data
  • Create a snapshot of the desktop
  • Create directory
  • Create a file
  • Delete a file
  • Disable the floppy disk drive
  • Execute a file
  • Find file
  • Get local drive info
  • Get/Set machine's time
  • Get/Set mouse double-click interval time
  • Get/Set mouse pointer location
  • Hide processes
  • Hide/Disable/Enable the system clock, Start button, system tray and the Desktop
  • Key-logging
  • Kill process
  • Kill processes
  • Logs off the infected user
  • Modify Internet Explorer's settings (e.g. Default Search Page, Start Page, Home Page)
  • Move a file
  • Open/Close the CD-Rom tray
  • Play a sound file
  • Remove the backdoor service
  • Send e-mail
  • Swap the mouse buttons
  • Update the malware from the hacker's specified site

During installation, it creates the following registry key for its auto-start mechanism:

  • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ydsvgd]

Haxdoor.KG creates the following registry keys so that even during a Safe Mode boot the malware will run:

  • [HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ycsvgd.sys]
  • [HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ycsvgd.sys]

The HKLM modification allows the backdoor to start when a user logs on. It also sets to '0' the value EnforceWriteProtection under the key:

  • [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management]

This will disable the kernel's memory write protection for the computer.

This malware also disables Firewall services by deleting the following registry values:

  • [HKLM\SYSTEM\CurrentControlSet\Control\Services\SharedAccess] "Start"
  • [HKLM\SYSTEM\CurrentControlSet\Control\Services\wscsvc] "Start"
  • [HKLM\SYSTEM\CurrentControlSet\Control\Services\VFILT] "Start"

Note: wscsvc and ShareAccess is for Windows Firewall service and VFILT is for Outpost Firewall

After this, it will start the following services that will also be automatically started every time that the system is booted:

  • NDI OSI Service
  • NDI OSI32 Service

Submit a Sample

Suspect a file or URL was wrongly detected? Send it to our Labs for further analysis

Submit a Sample

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

More Info