Click Here to Install Silverlight*
United StatesChange|All Microsoft Sites
Microsoft
Security 

Malicious Software Encyclopedia: Win32/Hacty

Published: August 2, 2005

Win32/Hacty is a family of backdoor Trojans that is distributed in various ways to computers running certain versions of Microsoft Windows. This Trojan is a user-mode rootkit. It can log keystrokes, redirect function calls to hide resources, open ports to communicate with attackers, and conduct distributed denial of service (DDos) attacks on servers.

**

Related Links

Removal Tools - Microsoft

Glossary Terms

Click the term to get the definition from our Security Glossary.

Trojan horse

virus

worm

**
On This Page
Threat OverviewThreat Overview
Technical AnalysisTechnical Analysis
How to Prevent InfectionHow to Prevent Infection
How to Tell If Your Computer Is InfectedHow to Tell If Your Computer Is Infected
How to Recover from InfectionHow to Recover from Infection
Payload InformationPayload Information

Threat Overview

Class/typeTrojan - Rootkit-Stealth
DiscoveredJune 21, 2005
CirculatingNo
Affected operating systemsWindows 2000
Windows XP
Windows Server 2003
Affected software Not specified
Infection ratingLow
Recovery difficultyDifficult
Damage ratingHigh
Transmission ratingLow

Technical Analysis

When a Win32/Hacty variant runs, it can take actions such as the following:
  • Log keystrokes.
  • Terminate processes.
  • Run commands and programs by starting a remote command shell.
  • Intercept certain Windows API calls in order to hide resources such as registry keys and values, processes, users, services, files, directories, and ports. The API calls are redirected to Win32/Hacty code that the Trojan has injected into processes running on the computer.
  • Conduct distributed denial of service (DDoS) attacks on servers using ping, UDP, Syn, or mstream flooding.
  • Exchange files between the infected computer and the attackers' computer.
  • Communicate with attackers through a backdoor. The Trojan may open a port for this purpose or use a port that is already open. The following protocols may be used:
    • User Datagram Protocol (UDP)
    • Transmission Control Protocol (TCP)
    • Internet Control Message Protocol (ICMP)

How to Prevent Infection

Take the following steps to help prevent infection on your system:
  • Enable a firewall on your computer.
  • Get the latest computer updates.
  • Use up-to-date antivirus software.

Enable a firewall on your computer

Use a third-party firewall product or turn on the Microsoft Windows XP Internet Connection Firewall.
To turn on the Internet Connection Firewall in Windows XP
  1. Click Start, and click Control Panel.
  2. Click Network and Internet Connections, and click Network Connections. If you do not see Network and Internet Connections, click Switch to Category View.
  3. Highlight a connection that you want to help protect, and click Change settings of this connection.
  4. Click Advanced, and select Protect my computer and network by limiting or preventing access to this computer from the Internet.
  5. Click OK.

Get the latest computer updates

Updates help protect your computer from viruses, worms, and other threats as they are discovered. You can use the Automatic Updates feature in Microsoft Windows XP to automatically download future Microsoft security updates while your computer is on and connected to the Internet.
To turn on Automatic Updates in Windows XP
  1. Click Start, and click Control Panel
  2. Click Performance and Maintenance. If you do not see Performance and Maintenance, click Switch to Category View.
  3. Click System.
  4. Click Automatic Updates, and select Keep my computer up to date.
  5. Select a setting. Microsoft recommends selecting Automatically download the updates, and install them on the schedule that I specify and setting a regular update time.
  6. If you choose to have Automatic Updates notify you in step 5, you will see a notification balloon when new downloads are available to install. Click the notification balloon to review and install updates.

Use up-to-date antivirus software

Most antivirus software can detect and prevent infection by known malicious software. You should always run antivirus software on your computer that is updated with the latest signature files to automatically help protect you from infection. If you don't have antivirus software installed, you can get it from one of several companies. For more information, see http://www.microsoft.com/athome/security/downloads/default.mspx

How to Tell If Your Computer Is Infected

There may be no readily apparent indications that your computer is infected by Win32/Hacty.

How to Recover from Infection

Automatic Recovery
To attempt to automatically remove this threat, run one of the following removal tools:

Payload Information

Payload typeTriggerDescription
Compromises Security
Execution
  • Starts a remote command shell.
  • Redirects Windows API calls to hide resources.
  • Terminates processes.
  • Performs DDoS attacks on servers.
  • Uses and hides backdoor functionality.
Release information
Execution
  • Logs keystrokes.
  • Transfers files to attackers and uses a backdoor to send information to attackers.


© 2009 Microsoft Corporation. All rights reserved. Contact Us |Terms of Use |Trademarks |Privacy Statement