Backdoor:Win32/Hackdef.AA

Locally, by user interaction such as clicking a Web link or an e-mail attachment.

Remotely, by a process on another computer that is scanning the network. If the scanner finds a computer that can be compromised, it can exploit a vulnerability to locate, install, or reinstall Backdoor:Win32/Hackdef.AA and run it on the target computer.

Checks for the presence of configuration code that it recognizes. The code contains parameters for changing settings on the computer. For example, the code can be in a .dll or .ini file, or in the Trojan code itself. Settings in the configuration code determine rootkit operations such as:

Creates mailslots on the computer. A mailslot functions as a backdoor to receive commands and return information to an attacker. The Trojan first creates a default mailslot. Then for each attacker, the Trojan creates a separate, private mailslot and notifies the attacker of the mailslot name. The attacker can then send commands through the private mailslot to control the Trojan functionality on the computer. For example, the attacker may refresh a configuration or initialization file.

Creates a mapping object in memory to store original code from Windows system APIs.

Drops a driver at <system folder>\drivers\sysboot.sys. The driver can be used to run custom code in kernel mode. It duplicates process tokens to obtain process-related information. This allows the Trojan to change the functionality of those processes as they run from memory.

Runs the driver.

Creates new registry keys. For example, it creates a registry key to run the driver sysboot.sys each time Windows starts.