Troj/Haxdoor-U is a backdoor Trojan that provides unauthorised access to an
infected computer.
Troj/Haxdoor-U attempts to copy itself to the Windows system folder with the
filename W32_SS.EXE and sets the following registry entry so as to run itself
on system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\secboot
Troj/Haxdoor-U attempts to drop the following files in the Windows system
folder, each of which is also detected as Troj/Haxdoor-U:
BOOT32.SYS
C3.DLL
C3.SYS
C4.SYS
DEBUG.DLL
SDMAPI.SYS
Troj/Haxdoor-U also attempts to create the following log files:
P2.INI
KLOG.SYS
IN.A3D
PS.A3D
Troj/Haxdoor-U attempts to disable certain antivirus and security programs and
may attempt to prevent itself and its dropped components from being deleted.
Troj/Haxdoor-U sets the following registry entries:
HKLM\SYSTEM\RADMIN\2.0\Parametrs\DisableTrayIcon
HKLM\SYSTEM\CurrentControlSet\Control\Impersonate
HKLM\System\CurrentControlSet\Control\Session Management\EnforceWriteProtection
Troj/Haxdoor-U will try to set some of the following registry entries depending
on what operating system is being run:
HKLM\SYSTEM\CurrentControlSet\Control\MPRServices\TestServices\
DllName = debugg.dll
HKLM\SYSTEM\CurrentControlSet\Control\MPRServices\TestServices\
EntryPoint = MemManager
HKLM\SYSTEM\CurrentControlSet\Control\MPRServices\TestServices\
StackSize = 0
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
debugg\DllName = debugg.dll
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
debugg\Startup = MemManager
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
debugg\Impersonate = 1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
debugg\Asynchronous = 1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
debugg\MaxWait = 1
Troj/Haxdoor-U also attempts to create two services in order to run two of the
dropped files on system startup. One service has a Service Name of SDMAPI
and a Display Name of KESDM and runs SDMAPI.SYS. The other service has a Service Name of BOOT32 and a Display Name of KEBOOT and runs BOOT32.SYS.