Francis WORLD 2006 YEAR OF THE WORLD CUP

Tuesday, August 09, 2005


Virus information
Troj/Haxdoor-H
Summary

Profile
Name Troj/Haxdoor-H
Type Trojan

Affected operating systems Windows

Side effects Turns off anti-virus applications
Allows others to access the computer
Reduces system security
Installs itself in the Registry

Aliases TrojanSpy.Win32.Agent.aa

Protection
Protection available since 23 August 2004 08:12:18 (GMT)
Included in our products from October 2004 (3.86)
Staying up to date
EM Library provides fully automated updating of Sophos Anti-Virus on a wide range of platforms. If you're using one of our enterprise solutions and aren't already using EM Library, check it out now. Users of our small business solutions are automatically updated by Sophos AutoUpdate.


Description

Summary Description Recovery Advanced

This section helps you to understand how it behaves
Troj/Haxdoor-H is a backdoor Trojan that provides unauthorised access to an infected computer.


Recovery

Summary Description Recovery Advanced

This section tells you how to disinfect.
Please follow the instructions for removing Trojans.


Advanced

Summary Description Recovery Advanced

This section is for technical experts who want to know more.
Troj/Haxdoor-H is a backdoor Trojan that provides unauthorised access to an infected computer.
The installation executable for Troj/Haxdoor-H drops the following files to the Windows system folder; i.a3d, draw32.dll, p2.ini, cm.dll, vdnt32.sys, hm.sys, memlow.sys, wd.sys, klogini.dll (not all of these files will be installed under Windows 95/98/ME). i.a3d, p2.ini and klogini.dll are harmless data files.
On NT-based versions of Windows services are created named memlow and vdnt32 (with display names of "LMMngr" and "MemDRV") to run memlow.sys and vdnt32.sys respectively, creating registry entries under:
HKLM\SYSTEM\CurrentControlSet\Services\memlowHKLM\SYSTEM\CurrentControlSet\Services\vdnt32\
The new memlow service has a startup type set to automatic, so that the service is run automatically on startup.
On NT-based versions of Windows sub-keys of the following new registry entry are created to load draw32.dll on startup and run the "MemManager" export:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\draw32\
Under Windows 95/98/ME one of the following sets of registry entries are created, so that draw32.dll is loaded on startup and the "MemManager" export called:
HKLM\System\currentcontrolset\control\mprserDllname = draw32.dll
HKLM\System\currentcontrolset\control\mprserEntrypoint = "MemManager"
HKLM\System\currentcontrolset\control\mprserStackSize = 0
HKLM\System\currentcontrolset\control\MPRServicesTestService\Dllname = draw32.dll
HKLM\System\currentcontrolset\control\MPRServicesTestService\Entrypoint = "MemManager"
HKLM\System\currentcontrolset\control\MPRServicesTestService\StackSize = 0
(the draw32.dll code will be run under the Mprexe system process.)
The following registry entries are also set:
HKLM\SYSTEM\RAdmin\v2.0\Server\Parameters\DisableTrayIcon = 1
HKLM\SYSTEM\CurrentControlSet\Control\Session ManagerMemory Management\EnforceWriteProtection = 0
HKLM\SYSTEM\CurrentControlSet\Control\Impersonate =
HKLM\SYSTEM\CurrentControlSet\Control\StackSize = 20:8
Troj/Haxdoor-H will delete the following files if they exist:
%SYSTEM%\drivers\klif.sys
%SYSTEM%\drivers\klpf.sys
Troj/Haxdoor-H attempts to disable certain anti-virus and security related programs and may attempt to prevent itself and its dropped components from being deleted.

0 Comments:

Post a Comment

<< Home