Encyclopedia entry: Backdoor:Win32/Haxdoor - Learn more about malware

Win32/Haxdoor is a family of rootkit-capable backdoor trojans which gather and send private user data to remote attackers. Collected data might include user names and passwords, credit card numbers, bank logon credentials, or other sensitive financial information. Files and processes related to a Win32/Haxdoor infection may be hidden by a kernel-mode rootkit component, detected by Microsoft as WinNT/Haxdoor. Win32/Haxdoor can also disable security-related software and redirect the infected user’s URL connection requests. Depending on the version of the operation system infected, Win32/Haxdoor may perform other malicious actions, such as clearing CMOS settings, destroying disk data, and shutting down Windows unexpectedly.

Symptoms of a Win32/Haxdoor infection may vary depending on the particular variant and the operating system affected. On computers running Microsoft Windows Server 2003, Windows XP, or Windows 2000, a Win32/Haxdoor infection may cause the computer to unexpectedly restart and display a STOP error on login. For details, see Microsoft KB Article 903251 at http://support.microsoft.com/kb/903251/EN-US/.

Win32/Haxdoor is a family of rootkit-capable backdoor trojans which gather and send private user data to remote attackers. Collected data might include user names and passwords, credit card numbers, bank logon credentials, or other sensitive financial information. Files and processes related to a Win32/Haxdoor infection may be hidden by a kernel-mode rootkit component, detected by Microsoft as WinNT/Haxdoor. Win32/Haxdoor can also disable security-related software and redirect the infected user’s URL connection requests. Depending on the version of the operation system infected, Win32/Haxdoor may perform other malicious actions, such as clearing CMOS settings, destroying disk data, and shutting down Windows unexpectedly.

Installation

Win32/Haxdoor is a family of backdoor trojans with rootkit capabilities. When a Win32/Haxdoor trojan is run, it typically performs the following operations:

Drops two identical DLLs; one of the DLLs is a backup in case the other DLL is modified or deleted.
Drops two identical system driver (.sys) files; one of these files is a backup in case the other driver is modified or deleted. Alternatively, the trojan may drop two distinct system driver (.sys) files and two additional driver files as backups in case the originals are modified or deleted. The trojan's rootkit functionality is contained in a system driver file.
Drops an empty .ini file in the Windows system folder. The trojan uses this file to store configuration information for its operations.
Creates services for the dropped system drivers and may modify the registry so that Windows loads the drivers each time it starts, even in safe mode.
Modifies the registry so that each time a user logs on, the dropped DLL is loaded and a specified function in the DLL is called at the privilege level of the current user. This is accomplished as follows:

On an infected host running a Windows NT-based operating system such as Windows XP or Windows Server 2003:
Creates a subkey under registry subkey
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
and creates the following values and data in that subkey:
Adds value: DllName
with data: <name of dropped DLL>
Adds value: Startup
with data: <name of an exported function in dropped DLL>
Adds value: Impersonate
with data: 1
Adds value: Asynchronous
with data: 1
Adds value: MaxWait
with data: 1
On an infected host running Windows 95, Windows 98, or Windows ME:

Adds values to registry subkey
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\MPRServices\TestService
as follows:
Adds value: DllName
with data: <name of dropped DLL>
Adds value: Entrypoint
with data: <name of an exported function in dropped DLL>
Adds value: StackSize
with data: 0

Runs the Windows system file mprexe.exe. This causes the dropped DLL to be loaded due to the Win32/Haxdoor modifications in the MPRServices subkey.

A system driver (.sys) file dropped by Win32/Haxdoor may take the following actions (Windows NT-based operating systems only):

Clear CMOS settings.
Destroy disk data.
Enable or disable the keyboard or floppy drive.
Act as a rootkit. The rootkit intercepts calls to certain Windows API functions. Win32/Haxdoor uses this method to hide files and ports, hide and prevent termination of Win32/Haxdoor processes, disable firewalls and antivirus software, steal user data (such as data exchanged with certain Web sites), and redirect certain URL-connection user requests.

Payload

Resists Removal

The same system driver may perform the following additional operations (alternatively, some Win32/Haxdoor variants drop a second driver to perform these operations):

Reset registry entries, if necessary, to match registry modifications that Win32/Haxdoor makes during installation. The Win32/Haxdoor DLL monitors the trojan registry entries and calls this system driver to restore modified or deleted entries as necessary.
Restore Win32/Haxdoor files, if necessary. This system driver may attempt to open files that Win32/Haxdoor drops during installation. If a file-open operation fails, the driver can restore the file using a backup file dropped by Win32/Haxdoor during installation.
Lock files that Win32/Haxdoor drops at installation so that the files cannot be modified or deleted.

Steals Data

The DLL code may perform the following operations when it runs:

Inject a remote thread into the explorer.exe process so that the DLL code is loaded into the explorer.exe process address space.
Call a Win32/Haxdoor system driver to lock the DLLs and system drivers dropped by Win32/Haxdoor so that the files cannot be modified or deleted.
Monitor the following resources and call a Win32/Haxdoor system driver to restore them if they are modified or deleted:

DLLs and system driver (.sys) files dropped by Win32/Haxdoor
Registry entries created by Win32/Haxdoor

Gather private user data from the infected computer and save it to a file in the Windows system folder. The private data may include information such as the following: host IP address, operating system, user names and passwords of the current user (such as for ICQ and WebMoney Web sites), and the number of Internet Explorer visits to Web sites such as www.ebay.com, www.paypal.com and www.e-gold.com. On a host computer running Windows 95, Windows 98, or Windows ME, the trojan may also gather DNS information and remote-access service (RAS) phone numbers.
Check for the presence of WinRAR and 7-zip software. The trojan may use this software to archive data to be sent to the attacker through a backdoor that Win32/Haxdoor creates.
Try to disable certain firewalls and antivirus software.
Try to inject a remote thread in the following processes: icq.exe, iexplore.exe, mozilla.exe, msn.exe, myie.exe, opera.exe, outlook.exe, thebat.exe. If this operation succeeds, the injected thread may bypass local software firewalls in order to send collected information to a specified e-mail address.
Log keystrokes and send the keystrokes to an e-mail address. The trojan may create several log files in the Windows system folder to store the logged keystrokes as well as user names and passwords that it collects.
Drop configuration files in the Windows system folder.
Open multiple backdoors on specified or randomly-selected ports. Win32/Haxdoor can use its rootkit to hide these backdoors. An attacker may use a Win32/Haxdoor backdoor to perform actions on the host computer such as the following:

Obtain the host computer name and user name.
Start and stop a keylogger.
Connect to a specified IP address to receive attacker commands and send private user data to the attacker.
Create and delete folders; find, move, create, delete, and execute files.
Hide, terminate, and change priorities of processes.
Transfer files, such as downloading files from URLs and sending files through e-mail.
Modify the registry; read and change various configurations.
Swap mouse buttons, change the mouse double-click interval, enable or disable the keyboard or floppy disk drive, open or close a CD-ROM drive, play sounds, move the cursor, cause text to appear in windows, draw and display graphics on the desktop, read from and write to the Windows clipboard.
Monitor all TCP and UDP ports.
Change the backdoor password, clear CMOS settings, get or set the local system time.
Log off the current user; restart or shut down Windows.

Additional Information

Many of the Win32/Haxdoor trojans are created using a commercially available trojan-creator kit. The kernel-mode component of Win32/Haxdoor is detected as WinNT/Haxdoor.

In the wild, this trojan may be distributed via spam e-mail messages to users disguised as a useful file, or in some cases as a security update for Windows. The attached file may named ‘KB######.exe’, where ‘######’ is a sequence of six numbers as in the following examples:

KB631829.exe

KB519287.exe

And so on. The following is example text of spam e-mail text:

Dear Microsoft Customer,

Please notice that Microsoft company has recently issued a Security Update for OS Microsoft Windows. The update applies to the following OS versions: Microsoft Windows 98, Microsoft Windows 2000, Microsoft Windows Millenium, Microsoft Windows XP, Microsoft Windows Vista.

Please notice, that present update applies to high-priority updates category. In order to help protect your computer against security threats and performance problems, we strongly recommend you to install this update.

Since public distribution of this Update through the official website http://www.microsoft.com would have result in efficient creation of a malicious software, we made a decision to issue an experimental private version of an update for all Microsoft Windows OS users.

As your computer is set to receive notifications when new updates are available, you have received this notice.

In order to start the update, please follow the step-by-step instruction:
1. Run the file, that you have received along with this message.
2. Carefully follow all the instructions you see on the screen.

If nothing changes after you have run the file, probably in the settings of your OS you have an indication to run all the updates at a background routine. In that case, at this point the upgrade of your OS will be finished.

We apologize for any inconvenience this back order may be causing you.

Thank you,

Steve Lipner
Director of Security Assurance
Microsoft Corp.

It is important to note that Microsoft does not distribute security updates via e-mail attachments. More information about attachment spoofing is available on Technet.

Take the following steps to help prevent infection on your system:

Enable a firewall on your computer.
Get the latest computer updates for all your installed software.
Use up-to-date antivirus software.
Use caution when opening attachments and accepting file transfers.
Use caution when clicking on links to web pages.
Protect yourself against social engineering attacks.

Enable a firewall on your computer

Use a third-party firewall product or turn on the Microsoft Windows Internet Connection Firewall.

To turn on the Windows Firewall in Windows Vista

Click Start, and click Control Panel.
Click Security.
Click Turn Windows Firewall on or off.
Select On.
Click OK.

To turn on the Internet Connection Firewall in Windows XP

Click Start, and click Control Panel.
Click Network and Internet Connections. If you do not see Network and Internet Connections, click Switch to Category View.
Click Change Windows Firewall Settings.
Select On.
Click OK.

Get the latest computer updates

Updates help protect your computer from viruses, worms, and other threats as they are discovered. It is important to install updates for all the software that is installed in your computer. These are usually available from vendor websites.

You can use the Automatic Updates feature in Windows to automatically download future Microsoft security updates while your computer is on and connected to the Internet.

To turn on Automatic Updates in Windows Vista

Click Start, and click Control Panel.
Click System and Maintainance.
Click Windows Updates.
Select a setting. Microsoft recommends selecting Install updates automatically and choose a time that is convenient for you. If you do not choose Automatic, but you choose to be notified when updates are ready, a notification balloon appears when new downloads are available to install. Click the notification balloon to review and install the updates.

To turn on Automatic Updates in Windows XP

Click Start, and click Control Panel.
Click System.
Click Automatic Updates.
Select a setting. Microsoft recommends selecting Automatic. If you do not choose Automatic, but you choose to be notified when updates are ready, a notification balloon appears when new downloads are available to install. Click the notification balloon to review and install the updates.

Use up-to-date antivirus software

Most antivirus software can detect and prevent infection by known malicious software. To help protect you from infection, you should always run antivirus software that is updated with the latest signature files. Antivirus software is available from several sources. For more information, see http://www.microsoft.com/protect/computer/viruses/vista.mspx.

Use caution when opening attachments and accepting file transfers

Exercise caution with e-mail and attachments received from unknown sources, or received unexpectedly from known sources. Use extreme caution when accepting file transfers from known or unknown sources.

Use caution when clicking on links to web pages

Exercise caution with links to web pages that you receive from unknown sources, especially if the links are to a web page that you are not familiar with or are suspicious of. Malicious software may be installed in your system simply by visiting a web page with harmful content.

Avoid downloading pirated software

Threats may also be bundled with software and files that are available for download on various torrent sites. Downloading "cracked" or "pirated" software from these sites carries not only the risk of being infected with malware, but is also illegal. For more information. please see our article 'The risks of obtaining and using pirated software'.

Protect yourself from social engineering attacks

While attackers may attempt to exploit vulnerabilities in hardware or software in order to compromise a system, they also attempt to exploit vulnerabilities in human behavior in order to do the same. When an attacker attempts to take advantage of human behavior in order to persuade the affected user to perform an action of the attacker's choice, it is known as 'social engineering'. Essentially, social engineering is an attack against the human interface of the targeted system. For more information, please see our article 'What is social engineering?'.

Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as the Microsoft online scanner (http://safety.live.com). For more information, see http://www.microsoft.com/protect/computer/viruses/vista.mspx.

Backdoor:Win32/Haxdoor

On this page

Summary

Symptoms

Technical Information (Analysis)