Haxdoor is a powerful backdoor with rootkit capabilities. It can hide its presence (processes and files) on an infected system so that it can be only detected using either anti-virus with kernel drivers or a rootkit detector. This backdoor has spying capabilities and it has lately been used to steal bank-related information (logon and passwords for online bank accounts) and other information.
Depending on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the suspect file, or ask you for a desired action.
More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.
You may also refer to the Knowledge Base on the F-Secure Community site for more information.
When the backdoor is executed, it drops the following files in the Windows System32 folder:
During the execution, it also creates the following registry keys:
The HKLM modification allows the backdoor to start when a user logs on. It also sets to '0' the value EnforceWriteProtection under the key:
thus disabling memory write protection for the computer.After this, it will start the following services that will also be automatically started every time that the system is booted:
Haxdoor is quite powerful and it is especially used to commit acts of economic fraud/theft, most of which are particularly targeted at Internet Explorer users. It targets several worldwide banks and financial services, both stealing account information and performing pharming.The following list is a sample of the banks included:
The backdoor also features a generic mechanism for stealing account information. In addition to this, Haxdoor.M will redirect traffic from several security websites to a Microsoft website. The list of redirected URLs:
Additionally, the backdoor can steal the following info:
Haxdoor.M also includes older functionality in other variants already detected by F-Secure. Additional details can be found in the description for Haxdoor.
F-Secure Anti-Virus detects this malware with the following updates:
Detection Type: PC