Threat behavior
VirTool:WinNT/Haxdoor.C is a kernel-mode rootkit-enabled Trojan that allows remote control of the infected machine over the Internet. The Trojan contains instructions that allow it to disable certain antivirus programs and firewall applications, log keystrokes, allow remote connections, lower security settings or perform other unwanted actions. VirTool:WinNT/Haxdoor.C gathers user and system information and sends it to a third party.
There are two forms of VirTool:WinNT/Haxdoor.C; an installer package, and the installed kernel-mode driver and related components.
When VirTool:WinNT/Haxdoor.C is run, it takes the following actions:
Drops files into the Windows system folder. The default location of the Windows system folder is C:\Windows\System32 (Windows XP, Vista); C:\Winnt\System32 (Windows NT/2000), C:\Windows\System (Windows 95/98/ME):
draw32.dll, cm.dll (33,056 bytes each)
vdnt32.sys, hm.sys (14,832 bytes each)
memlow.sys, wd.sys (4,096 bytes each)
p2.ini (a configuration file)
klogini.dll (logged data)
vtd_16.exe
dt163.dt
fltr.a3d
redir.a3d
Injects code (draw32.dll) into the following processes if found in memory to capture logon credentials:
Explorer.exe
Iexplorer.exe
Opera.exe
Myie.exe
Mozilla.exe
Thebat.exe
Outlook.exe
Msn.exe
Icq.exe
Modifies the registry to load these copies of the rootkit when Windows is started:
Adds values:
Displayname = “LMMngr”
ImagePath = <system folder>\memlow.sys
Start = 2 (demand)
Type = 1 (kernel)
To subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\memlow
Adds values:
Displayname = “MemDrv”
ImagePath = <system folder>\vdnt32.sys
Start = 1 (auto)
Type = 1 (kernel)
To subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\vdnt32
Win9x
Adds values:
DllName = draw32.dll
Startup = MedManager
StackSize = 14:5
To subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\MRPServices\TestService
WinNT/XP
Adds values:
Asynchronous = 1
DllName = draw32.dll
Impersonate = 1
MaxWait = 1
Startup = MedManager
To subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\draw32
VirTool:WinNT/Haxdoor.C hooks various system calls located in the System Service Descriptor Table (SSDT), including the following:
ZwOpenProcess
ZwCreateProcess
ZwQueryDirectoryFile
ZwOpenThread
ZwQuerySystemInformation
ZwCreateProcessEx
Disables the following services or processes:
Engine.dll (Ewido program file)
Perfiloc.dll (Kaspersky program file)
ZlParser.dll (Check Point "Zone Alarm" program file)
AVPmsrv.dll (Kaspersky program file)
MCagnTPS.dll (McAfee program file)
Cmondll.dll (Sygate firewall program file)
IamEvent.dll (Symantec "NIS" program file)
Kills the following security related applications if running or executed:
Zapro.exe (Check Point "Zone Alarm Pro" application)
Vsmon.exe (Check Point "Zone Alarm" application)
Jamapp.exe
Atrack.exe (Symantec "NIS" application)
Iamapp.exe (Symantec "NIS" application)
Fwact.exe (Panda "PIS" application)
Outpost.exe (Outpost Firewall application)
Zlclient.exe (Check Point "Zone Alarm" application)
Mpftray.exe (McAfee fireall application)
Mpfagent.exe (McAfee firewall application)
Uses the API NtLockFile to lock these files so they become inoperative:
%CommonProgramFiles%\PFWShared\idsxres.dll (Tiny Personal Firewall program file)
%CommonProgramFiles%\ZoneLabs\vsmon.exe (Checkpoint ZoneAlarm program file)
Disables memory write protection via a registry change:
Modifies value: EnforeWriteProtection
With data: 0
To subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
Creates a backup of registry security settings by copying
<system folder>\config\SAM." as "<system folder>\config\SSL."
Logs password information stored in the registry, or cached, or found in the installed path for any of these applications:
WebMoney
Miranda
MuxaSoft Mdialer
Mirabilis ICQ
Internet Account Manager
POP3, IMAP passwords
Cashed credentials: POP3 user name, passwords, IMAP user name, passwords
Captured data may be emailed to the rootkit author via SMTP data transfer
Login passwords are stored in a data file "klogini.dll" located in the Windows system folder
May connect to a remote Web site containing attacker related material
Displays an interactive dialogue to the user with the following message content -
Dear Internet Bank User!
We recognize the importance of protecting your personal and financial information and for security purposes we have entered additional checking. The personal information that we obtain about you assists us in servicing your account. Your personal information is used primarily as a way of authenticating you as the proper owner of your account and as the person who can made payments. We protect your account information. That’s why you have to enter a unique Memorable information.
Please input your Memorable information: …
Please input your Security Number: …
Please input your Security Number and Password: …
Please input your Passnumber
Enter alpha or numerical characters from your Personal identification which you have provided to our bank.
Please exclude any special characters such as ‘-‘,’/’,’(‘ etc
Key login forms situated throughout the website are protected by SSL (Security Socket Layer) encryption, which guarantees that information submitted from your browser to our server arrives unaltered and intercepted by no third party. All information and details encryption in accordance with bank policy.
Please check your input and click button.
Please note that the information is case-sensitive, therefore make sure that the CAPS LOCK key is not engaged on your keyboard.
Prevention
