Threat behavior
Backdoor:Win32/Haxdoor.gen!dll is a component of
Backdoor:Win32/Haxdoor that opens TCP ports and connects with predefined remote Web sites.
Installation
Win32/Haxdoor.gen!dll is installed by a variant of Backdoor:Win32/Haxdoor. When the dropper is run, it will drop the following files:
<system folder>\gzipmod.dll - Backdoor:Win32/Haxdoor.gen!dll
<system folder>\vbagz.sys - Backdoor:Win32/Haxdoor.gen!sys
The registry is modified to execute the dropped component 'gzipmod.dll' at Windows start.
Adds value: DllName
With data: "gzipmod.dll"
To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\gzipmod
Haxdoor.gen!dll is launched via the Windows utility RUNDLL32.EXE and the registry is again modified to load the other component 'vbagz.sys' in Windows safe mode.
Adds value: (default)
With data: "driver"
To subkey: HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vbagz.sys
Adds value: (default)
With data: "driver"
To subkey: HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vbagz.sys
Payload
Opens Ports
Win32/Haxdoor.gen!dll attempts to connect to the predefined remote site 'ulm-haafeulm-haa.com' using TCP port 80 (HTTP). In addition, the trojan opens and listens on TCP ports 6051 and 6052.
Additional Information
Analysis by Tim Liu
Prevention
