Troj/Haxdoor-AA is a backdoor Trojan which allows a remote intruder to gain access and control over the computer.
Troj/Haxdoor-AA includes functionality to:
- stealth its files, processes, registry entries and services
- prevent itself being terminated
- prevent itself being deleted
- disable other software, including anti-virus, firewall and security related applications
When Troj/Haxdoor-AA is installed the following files are created:
<System>\cm.dll
<System>\draw32.dll
<System>\hm.sys
<System>\memlow.sys
<System>\p2.ini
<System>\vdnt32.sys
<System>\wd.sys
The following registry entries are created to run code exported by draw32.dll on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\draw32
DllName
draw32.dll
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\draw32
Startup
NetMaxager
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\draw32
Impersonate
1
The file memlow.sys is registered as a new system driver service named "memlow", with a display name of "LMMngr" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\memlow\
The file vdnt32.sys is registered as a new system driver service named "vdnt32", with a display name of "MemDRV". Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\vdnt32\
Sophos's anti-virus products include Genotype ™ detection technology, which can proactively protect against new threats without requiring an update. Sophos customers have been protected against Troj/Haxdor (detected as Troj/Haxdor-Fam and Troj/Haxdor-Gen) since version 3.93.