Backdoor:Win32/Hackdef.AD is a backdoor trojan with rootkit functionality. This trojan may hide services, processes and ports and masquerade as a service named "Windows AutoUpdates".
Installation
When this trojan is run, it may create a service that will load a copy of the trojan at each Windows start, with a service name of "Windows Autoupdates".
When Win32/Hackdef.AD executes, it loads a configuration INI file (detected as Backdoor:Win32/Hackdef!ini.A) that specifies for the trojan to hide specific files, processes, services, registry key values, TCP and UDP Ports.
Payload
Stops Processes or Services
Win32/Hackdef.AD may attempt to terminate any of the following programs which may be used to detect hidden processes, registry keys, ports:
v3net
iistart
SVCH0ST
sqlserver.exe
ccproxy
inteinfo
cdial
uuid.
configdv
vods
AccInfo
wmide
IceSword
PeanutHull3
Filseclab
xfilter
ipconfig
network
ESTsoft
IceS
ALYac
TCPView
autoruns
procexp
ACPIL.DLL
ACPIFAN.DLL
ACPILid.DLL
service.exe
service.ini
f-secure
fsbl.exe
Rootkit
FcsSas
MsMpEng
Forefront
sc.exe
Hides Processes
Win32/Hackdef.AD may attempt to hide the following processes:
iistart.exe
sqlserver.exe
inteinfo.exe
SVCH0ST.exe
vods.sys
r_server.exe
PhCore.exe
ESTsoft
IceS
ALYac
TCPView
autoruns
procexp
service.exe
v3net.exe
Hides Services
Win32/Hackdef.AD may attempt to hide the following services:
wmide
ccproxy
dfss
Windows AutoUpdates
Wuss
IISMASTER
r_server
PeanuthullCore
netman
remoteaccess
remoteregistry
Network Connections
ALYac_PZSrv
Telephony
rasman
tapisrv
lanmanserver
FcsSas
FCSAM
Hides Registry Subkeys
Win32/Hackdef.AD may attempt to hide the following registry subkeys related to the installation of this trojan:
HackerDefender100
LEGACY_HACKERDEFENDER100
HackerDenderDrv100
LEGACY_HACKERDEFENDERDRV100
wmide
LEGACY_wmide
IISMASTER
LEGACY_IISMASTER
CCproxy
LEGACY_CCproxy
r_server
LEGACY_r_server
RAdmin
LEGACY_RAdmin
dfss
LEGACY_dfss
Windows AutoUpdates
LEGACY_vods
RemoteAccess
LEGACY_RemoteAccess
RasMan
LEGACY_RasMan
tapisrv
LEGACY_tapisrv
services
LEGACY_services
Hides Ports
Win32/Hackdef.AD may attempt to hide the following ports:
TCP: 4362, 88, 89, 808, 1033, 809, 600, 1023, 1024, 1116, 2007, 2008, 9393, 9494, 9595, 5020, 9898, 16888, 17173, 18188, 18888, 50000, 6000, 1723
UDP: 123, 5001
Backdoor Functionality
Win32/Hackdef.AD allows an attacker unauthorized access and control of an affected machine.
Analysis by Andrei Florin Saygo
