Summary
Haxdoor backdoor Trojan is a Trojan.
Detailed analysis
Example behaviours of Haxdoor backdoor Trojan follow:
Example 1
Other vendor detection
- Avira
- BDS/Haxdoor.AB.4
- Kaspersky
- Backdoor.Win32.Haxdoor.ap
- Trend
- BKDR_HAXDOOR.C
Example 2
Runtime Analysis
Copies Itself To
- C:\WINDOWS\system32\mszx23.exe
Dropped Files
- C:\WINDOWS\system32\i.a3d
- C:\WINDOWS\system32\winlow.sys
- C:\WINDOWS\system32\fltr.a3d
- C:\WINDOWS\system32\redir.a3d
- Size
- 338
- SHA-1
- 11b4fff50935f81bcac65bf570515d0dc24dd810
- MD5
- ccca07bf73b8a44fb02273befc9e4fbd
- CRC-32
- 35cd68d5
- File type
- application/octet-stream
- First seen
- 2010-08-03
- C:\WINDOWS\system32\tnfl.a3d
- C:\WINDOWS\system32\cz.dll
- C:\WINDOWS\system32\vdmt16.sys
- C:\WINDOWS\system32\drct16.dll
- C:\WINDOWS\system32\hz.sys
- C:\WINDOWS\system32\wz.sys
Registry Keys Created
- HKLM\SYSTEM\CurrentControlSet\Control
- StackSize
- 17:9
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\drct16
- MaxWait
- 0x00000001
- HKLM\SYSTEM\CurrentControlSet\Services\vdmt16\Security
- Security
- 01 00 14 80 90 00 00 00 9c 00 00 00 14 00 00 00 30 00 00 00 02 00 1c 00 01 00 00 00 02 80 14 00 ff 01 0f 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 fd 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 ff 01 0f 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8d 01 02 00 01 01 00 00 00 00 00 05 0b 00 00 00 00 00 18 00 fd 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
- HKLM\SYSTEM\CurrentControlSet\Services\vdmt16
- ErrorControl
- 0x00000000
- HKLM\SYSTEM\CurrentControlSet\Services\vdmt16\Enum
- INITSTARTFAILED
- 0x00000001
- HKLM\SYSTEM\CurrentControlSet\Services\winlow
- Start
- 0x00000002
Processes Created
- c:\windows\system32\mszx23.exe
Example 3
Other vendor detection
- Avira
- BDS/Haxdoor.BG.2
- Kaspersky
- Backdoor.Win32.Haxdoor.cn
- Trend
- BKDR_HAXDOOR.BJ