Troj/Haxdoor-E is a backdoor Trojan that provides an unauthorized access to the infected computer through the TCP port connection.
When executed Troj/Haxdoor-E copies itself to the Windows system folder with
the filename w32_ss.exe, attempts to delete klif.sys and klpf.sys files from
the Windows system drivers folder and creates services with the service names
Sdmapi and Boot32 and the display names KeSDM and KeBoot.
To be able run at the restart Troj/Haxdoor-E creates the registry entries
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
Notify\debugg\DllName = hex(2):64,65,62,75,67,67,2e,64,6c,6c,00
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
Notify\debugg\Startup = "MemManager"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
Notify\debugg\Impersonate = dword:00000001
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
Notify\debugg\Asynchronous = dword:00000001
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
debugg\MaxWait = dword:00000001
Also Troj/Haxdoor-E sets a number of registry entries associated with the
created services under the registry keys
HKLM\SYSTEM\ControlSet001\Enum\Root\
LEGACY_SDMAPI
HKLM\SYSTEM\ControlSet001\Services\boot32
HKLM\SYSTEM\ControlSet001\Services\sdmapi
HKLM\SYSTEM\CurrentControlSet\Enum\Root\
LEGACY_SDMAPI
HKLM\SYSTEM\CurrentControlSet\Services\boot32
HKLM\SYSTEM\CurrentControlSet\Services\sdmapi
Troj/Haxdoor-E creates following files in the Windows system folder:
boot32.sys
c3.dll
c3.sys
c4.sys
debugg.dll
p2.ini
sdmapi.sys