Troj/Haxdoor-X is a multi-component downloader Trojan which attempts to download and execute files from a remote location.
Troj/Haxdoor-X also modifies the HOSTS file and changes settings for Microsoft Internet Explorer, including Start Page and search settings, by modifying values at the following locations in the registry:
HKCU\Software\Microsoft\Internet Explorer\Main
HKCU\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
HKCU\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
HKCU\Software\Microsoft\Internet Explorer\Main\Search Page
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
HKLM\Software\Microsoft\Internet Explorer\Main\
HKLM\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
HKLM\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
HKLM\Software\Microsoft\Internet Explorer\Main\Search Page
HKLM\Software\Microsoft\Internet Explorer\Main\Start Page
HKLM\Software\Microsoft\Internet Explorer\Search
The main component of Troj/Haxdoor-X is a DLL which is typically called mspdnx.dll. This DLL may be installed by a device driver component called chgsprt.sys.
Troj/Haxdoor-X may be loaded within the address space of the Explorer process.
Troj/Haxdoor-X attempts to inject its downloader code into any one of the following processes, if they are active:
iexplore.exe
opera.exe
thebat.exe
outlook.exe
msn.exe
icq.exe
miranda.exe
Maxthon.exe
Firefox.exe
aol.exe
myie.exe
mozilla.exe
The Trojan attempts to download the following files to the Windows system folder:
idchr2.dat
headr2.dat
chrr2.ini
cmdfl2.dat
tmpfile2.exe
Troj/Haxdoor-X may download a new version of the HOSTS file to replace the one located at <Windows system>\drivers\etc\hosts.