Haxdoor is a powerful backdoor with rootkit capabilities. It can hide its presence (processes and files) on an infected system so that it can be only detected using either anti-virus with kernel drivers or a rootkit detector. This backdoor has spying capabilities and it has lately been used to steal bank-related information (logon and passwords for online bank accounts) and other information.
Based on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the detected program or file, or ask you for a desired action.
Find the latest advice in our Community Knowledge Base.
See the manual for your F-Secure product on the Help Center.
Submit a file or URL for further analysis.
When the backdoor is executed, it drops the following files in the Windows System32 folder:
During the execution, it also creates the following registry keys:
The HKLM modification allows the backdoor to start when a user logs on. It also sets to '0' the value EnforceWriteProtection under the key:
thus disabling memory write protection for the computer.After this, it will start the following services that will also be automatically started every time that the system is booted:
Haxdoor is quite powerful and it is especially used to commit acts of economic fraud/theft, most of which are particularly targeted at Internet Explorer users. It targets several worldwide banks and financial services, both stealing account information and performing pharming.The following list is a sample of the banks included:
The backdoor also features a generic mechanism for stealing account information. In addition to this, Haxdoor.M will redirect traffic from several security websites to a Microsoft website. The list of redirected URLs:
Additionally, the backdoor can steal the following info:
Haxdoor.M also includes older functionality in other variants already detected by F-Secure. Additional details can be found in the description for Haxdoor.