Backdoor:W32/Haxdoor.M

Threat description

Details

CATEGORYMalware
TYPEBackdoor
DATE DISCOVEREDJune 15, 2006

Summary

A remote administration utility which bypasses normal security mechanisms to secretly control a program, computer or network.



Removal

Automatic action

Depending on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the suspect file, or ask you for a desired action.

More scanning & removal options

More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.

Technical Details

Backdoor:W32/Haxdoor.M can hide its presence (processes and files) on an infected system so that it can be only detected using either anti-virus with kernel drivers or a rootkit detector.This backdoor has spying capabilities and is used to steal bank-related information (logon and passwords for online bank accounts) and other information.Haxdoor.M also includes older Haxdoor functionalities.

Installation

When the backdoor is executed, it drops the following files in the Windows System32 folder:

  • pptp16.dll
  • pptp24.sys
  • qz.dll
  • qz.sys
Activity

Haxdoor is quite powerful and it is especially used to commit acts of economic fraud/theft, most of which are particularly targeted at Internet Explorer users. It targets several worldwide banks and financial services, both stealing account information and performing pharming.The following list is a sample of the banks included:

  • Alliance-leicester
  • Barclays
  • Cajamadrid
  • Deutsche-bank
  • E-Bullion
  • Firepay
  • Halifax
  • Lloyds
  • Mastercard
  • Paypal
  • Wellsfargo
  • Westernunion
  • Yambo Financials

The backdoor also features a generic mechanism for stealing account information.In addition to this, Haxdoor.M will redirect traffic from several security websites to a Microsoft website. The list of redirected URLs:

  • avp.ch
  • avp.com
  • avp.ru
  • awaps.net
  • customer.symantec.com
  • d-eu-1f.kaspersky-labs.com
  • d-eu-2f.kaspersky-labs.com
  • dispatch.mcafee.com
  • download.mcafee.com
  • downloads1.kaspersky-labs.com
  • downloads1.kaspersky-labs.com
  • downloads1.kaspersky-labs.com
  • downloads2.kaspersky-labs.com
  • downloads3.kaspersky-labs.com
  • downloads4.kaspersky-labs.com
  • downloads-us1.kaspersky-labs.com
  • downloads-us2.kaspersky-labs.com
  • downloads-us3.kaspersky-labs.com
  • d-ru-1f.kaspersky-labs.com
  • d-ru-2f.kaspersky-labs.com
  • d-us-1f.kaspersky-labs.com
  • engine.awaps.net
  • f-secure.com
  • ftp.avp.ch
  • ftp.downloads2.kaspersky-labs.com
  • ftp.f-secure.com
  • ftp.kaspersky.ru
  • ftp.kasperskylab.ru
  • ftp.sophos.com
  • ids.kaspersky-labs.com
  • kaspersky.com
  • kaspersky-labs.com
  • liveupdate.symantec.com
  • liveupdate.symantec.com
  • liveupdate.symantec.com
  • liveupdate.symantecliveupdate.com
  • liveupdate.symantecliveupdate.com
  • mast.mcafee.com
  • mcafee.com
  • my-etrust.com
  • networkassociates.com
  • phx.corporate-ir.net
  • rads.mcafee.com
  • securityresponse.symantec.com
  • service1.symantec.com
  • sophos.com
  • spd.atdmt.com
  • symantec.com
  • trendmicro.com
  • update.symantec.com
  • updates.symantec.com
  • updates1.kaspersky-labs.com
  • updates1.kaspersky-labs.com
  • updates2.kaspersky-labs.com
  • updates3.kaspersky-labs.com
  • updates3.kaspersky-labs.com
  • updates4.kaspersky-labs.com
  • updates5.kaspersky-labs.com
  • us.mcafee.com
  • virustotal.com

Additionally, the backdoor can steal the following info:

  • IMAP password
  • IMAP server name
  • IMAP user name
  • POP3 password
  • POP3 server name
  • POP3 user name
Registry

The HKLM modification allows the backdoor to start when a user logs on. It also sets to '0' the value EnforceWriteProtection under the key:

  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management

thus disabling memory write protection for the computer. After this, it will start the following services that will also be automatically started every time that the system is booted:

  • MMX virtualization service
  • MMX2 virtualization service
Registry Modifications

Creates these keys:

  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\pptp1
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\pptp16.sys
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\pptp24.sys
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\pptp16.sys
  • HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\pptp24.sy
Detection

F-Secure Anti-Virus detects this malware with the following updates:

Database: 2006-06-15_01

Submit a Sample

Suspect a file or URL was wrongly detected? Send it to our Labs for further analysis

Submit a Sample

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

More Info