Follow:

 

Backdoor:Win32/Haxdoor


Win32/Haxdoor is a family of rootkit-capable backdoor trojans which gather and send private user data to remote attackers. Collected data might include user names and passwords, credit card numbers, bank logon credentials, or other sensitive financial information. Files and processes related to a Win32/Haxdoor infection may be hidden by a kernel-mode rootkit component, detected by Microsoft as WinNT/Haxdoor. Win32/Haxdoor can also disable security-related software and redirect the infected user’s URL connection requests. Depending on the version of the operation system infected, Win32/Haxdoor may perform other malicious actions, such as clearing CMOS settings, destroying disk data, and shutting down Windows unexpectedly.


What to do now

To detect and remove this threat and other malicious software that may be installed in your computer, run a full-system scan with an up-to-date antivirus product such as the following:
 
 
For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Threat behavior

Win32/Haxdoor is a family of rootkit-capable backdoor trojans which gather and send private user data to remote attackers. Collected data might include user names and passwords, credit card numbers, bank logon credentials, or other sensitive financial information. Files and processes related to a Win32/Haxdoor infection may be hidden by a kernel-mode rootkit component, detected by Microsoft as WinNT/Haxdoor. Win32/Haxdoor can also disable security-related software and redirect the infected user’s URL connection requests. Depending on the version of the operation system infected, Win32/Haxdoor may perform other malicious actions, such as clearing CMOS settings, destroying disk data, and shutting down Windows unexpectedly.
 
Installation
Win32/Haxdoor is a family of backdoor trojans with rootkit capabilities. When a Win32/Haxdoor trojan is run, it typically performs the following operations:
  • Drops two identical DLLs; one of the DLLs is a backup in case the other DLL is modified or deleted.
  • Drops two identical system driver (.sys) files; one of these files is a backup in case the other driver is modified or deleted. Alternatively, the trojan may drop two distinct system driver (.sys) files and two additional driver files as backups in case the originals are modified or deleted. The trojan's rootkit functionality is contained in a system driver file.
  • Drops an empty .ini file in the Windows system folder. The trojan uses this file to store configuration information for its operations.
  • Creates services for the dropped system drivers and may modify the registry so that Windows loads the drivers each time it starts, even in safe mode.
  • Modifies the registry so that each time a user logs on, the dropped DLL is loaded and a specified function in the DLL is called at the privilege level of the current user. This is accomplished as follows:
    • On an infected host running a Windows NT-based operating system such as Windows XP or Windows Server 2003:
      Creates a subkey under registry subkey
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
      and creates the following values and data in that subkey:
      Adds value: DllName
      with data: <name of dropped DLL>
      Adds value: Startup
      with data: <name of an exported function in dropped DLL>
      Adds value: Impersonate
      with data: 1
      Adds value: Asynchronous
      with data: 1
      Adds value: MaxWait
      with data: 1
    • On an infected host running Windows 95, Windows 98, or Windows ME:
    • Adds values to registry subkey
      HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\MPRServices\TestService
      as follows:
      Adds value: DllName
      with data: <name of dropped DLL>
      Adds value: Entrypoint
      with data: <name of an exported function in dropped DLL>
      Adds value: StackSize
      with data: 0
      Runs the Windows system file mprexe.exe. This causes the dropped DLL to be loaded due to the Win32/Haxdoor modifications in the MPRServices subkey.
A system driver (.sys) file dropped by Win32/Haxdoor may take the following actions (Windows NT-based operating systems only):
  • Clear CMOS settings.
  • Destroy disk data.
  • Enable or disable the keyboard or floppy drive.
  • Act as a rootkit. The rootkit intercepts calls to certain Windows API functions. Win32/Haxdoor uses this method to hide files and ports, hide and prevent termination of Win32/Haxdoor processes, disable firewalls and antivirus software, steal user data (such as data exchanged with certain Web sites), and redirect certain URL-connection user requests. 

Payload
Resists Removal
The same system driver may perform the following additional operations (alternatively, some Win32/Haxdoor variants drop a second driver to perform these operations):
  • Reset registry entries, if necessary, to match registry modifications that Win32/Haxdoor makes during installation. The Win32/Haxdoor DLL monitors the trojan registry entries and calls this system driver to restore modified or deleted entries as necessary. 
  • Restore Win32/Haxdoor files, if necessary. This system driver may attempt to open files that Win32/Haxdoor drops during installation. If a file-open operation fails, the driver can restore the file using a backup file dropped by Win32/Haxdoor during installation.
  • Lock files that Win32/Haxdoor drops at installation so that the files cannot be modified or deleted.
 
Steals Data
The DLL code may perform the following operations when it runs:  
  • Inject a remote thread into the explorer.exe process so that the DLL code is loaded into the explorer.exe process address space.
  • Call a Win32/Haxdoor system driver to lock the DLLs and system drivers dropped by Win32/Haxdoor so that the files cannot be modified or deleted.
  • Monitor the following resources and call a Win32/Haxdoor system driver to restore them if they are modified or deleted:
    • DLLs and system driver (.sys) files dropped by Win32/Haxdoor
    • Registry entries created by Win32/Haxdoor
  • Gather private user data from the infected computer and save it to a file in the Windows system folder. The private data may include information such as the following: host IP address, operating system, user names and passwords of the current user (such as for ICQ and WebMoney Web sites), and the number of Internet Explorer visits to Web sites such as www.ebay.com, www.paypal.com and www.e-gold.com. On a host computer running Windows 95, Windows 98, or Windows ME, the trojan may also gather DNS information and remote-access service (RAS) phone numbers.
  • Check for the presence of WinRAR and 7-zip software. The trojan may use this software to archive data to be sent to the attacker through a backdoor that Win32/Haxdoor creates.
  • Try to disable certain firewalls and antivirus software.
  • Try to inject a remote thread in the following processes: icq.exe, iexplore.exe, mozilla.exe, msn.exe, myie.exe, opera.exe, outlook.exe, thebat.exe. If this operation succeeds, the injected thread may bypass local software firewalls in order to send collected information to a specified e-mail address.
  • Log keystrokes and send the keystrokes to an e-mail address. The trojan may create several log files in the Windows system folder to store the logged keystrokes as well as user names and passwords that it collects.
  • Drop configuration files in the Windows system folder.
  • Open multiple backdoors on specified or randomly-selected ports. Win32/Haxdoor can use its rootkit to hide these backdoors. An attacker may use a Win32/Haxdoor backdoor to perform actions on the host computer such as the following:
    • Obtain the host computer name and user name.
    • Start and stop a keylogger.
    • Connect to a specified IP address to receive attacker commands and send private user data to the attacker.
    • Create and delete folders; find, move, create, delete, and execute files.
    • Hide, terminate, and change priorities of processes.
    • Transfer files, such as downloading files from URLs and sending files through e-mail.
    • Modify the registry; read and change various configurations.
    • Swap mouse buttons, change the mouse double-click interval, enable or disable the keyboard or floppy disk drive, open or close a CD-ROM drive, play sounds, move the cursor, cause text to appear in windows, draw and display graphics on the desktop, read from and write to the Windows clipboard.
    • Monitor all TCP and UDP ports.
    • Change the backdoor password, clear CMOS settings, get or set the local system time.
    • Log off the current user; restart or shut down Windows.
 
 
Additional Information
Many of the Win32/Haxdoor trojans are created using a commercially available trojan-creator kit. The kernel-mode component of Win32/Haxdoor is detected as WinNT/Haxdoor.
 
In the wild, this trojan may be distributed via spam e-mail messages to users disguised as a useful file, or in some cases as a security update for Windows. The attached file may named ‘KB######.exe’, where ‘######’ is a sequence of six numbers as in the following examples:
 
KB631829.exe
KB519287.exe
 
And so on. The following is example text of spam e-mail text:
 
Dear Microsoft Customer,
 
Please notice that Microsoft company has recently issued a Security Update for OS Microsoft Windows. The update applies to the following OS versions: Microsoft Windows 98, Microsoft Windows 2000, Microsoft Windows Millenium, Microsoft Windows XP, Microsoft Windows Vista.
 
Please notice, that present update applies to high-priority updates category. In order to help protect your computer against security threats and performance problems, we strongly recommend you to install this update.
 
Since public distribution of this Update through the official website http://www.microsoft.com would have result in efficient creation of a malicious software, we made a decision to issue an experimental private version of an update for all Microsoft Windows OS users.
 
As your computer is set to receive notifications when new updates are available, you have received this notice.
 
In order to start the update, please follow the step-by-step instruction:
1. Run the file, that you have received along with this message.
2. Carefully follow all the instructions you see on the screen.
 
If nothing changes after you have run the file, probably in the settings of your OS you have an indication to run all the updates at a background routine. In that case, at this point the upgrade of your OS will be finished.
 
We apologize for any inconvenience this back order may be causing you.
 

Thank you,
 
Steve Lipner
Director of Security Assurance
Microsoft Corp.
 
It is important to note that Microsoft does not distribute security updates via e-mail attachments. More information about attachment spoofing is available on Technet.
 

Symptoms

Symptoms of a Win32/Haxdoor infection may vary depending on the particular variant and the operating system affected. On computers running Microsoft Windows Server 2003, Windows XP, or Windows 2000, a Win32/Haxdoor infection may cause the computer to unexpectedly restart and display a STOP error on login. For details, see Microsoft KB Article 903251 at http://support.microsoft.com/kb/903251/EN-US/.

Prevention


Alert level: Severe
First detected by definition: 1.45.287.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Oct 07, 2008
This entry was first published on: Sep 14, 2006
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • Win32/Haxdoor (CA)
  • Haxdoor.Fam (Sunbelt Software)