Troj/Haxdoor-AN

Category	Viruses and Spyware
Type	Trojan
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


Affected operating systems	Windows
Characteristics	Drops more malware Installs itself in the registry
Included in our products from	December 2005 (4.00)
Protection available since	4 November 2005 11:43:37 (GMT)
Detected by	All Sophos products

Action

Summary
Action
More Information

Please follow the instructions for removing Trojans.

More Information

Summary
Action
More Information

Troj/Haxdoor-AN is a backdoor Trojan which allows a remote intruder to gain access and control over the computer.

Troj/Haxdoor-AN includes functionality to access the internet and communicate with a remote server via HTTP.

Troj/Haxdoor-AN attempts to disable certain services related to security and anti-virus programs and may attempt to bypass the Windows firewall.

Troj/Haxdoor-AN attempts to download and execute files from a remote location. Troj/Haxdoor-AN is a backdoor Trojan which allows a remote intruder to gain access and control over the computer.

Troj/Haxdoor-AN includes functionality to access the internet and communicate with a remote server via HTTP.

When Troj/Haxdoor-AN is installed the following files are created:

<System>\sks2drvr.sys
<System>\sksdll.dll

Both these files are also detected as Troj/Haxdoor-AN. The file sks2drvr.sys is a rootkit designed to stealth the presence of Troj/Haxdoor-AN.

Some of the following registry entries are created to run code exported by sksdll.dll on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sksdll
DllName
sksdll.dll

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sksdll
Startup
sksdll

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sksdll
Impersonate
1

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sksdll
Asynchronous
1

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sksdll
MaxWaut
1

HKLM\System\CurrentControlSet\Control\MPRServices\TestService
DllName
sksdll.dll

HKLM\System\CurrentControlSet\Control\MPRServices\TestService
EntryPoint
sksdll

HKLM\System\CurrentControlSet\Control\MPRServices\TestService
StackSize
0

The file sks2drvr.sys is registered as a new system driver service named "sks2drvr", with a display name of "USB sks2drvr". Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\sks2drvr\

Troj/Haxdoor-AN attempts to disable certain services related to security and anti-virus programs by deleting registry entries at the following location:

HKLM\SYSTEM\CurrentControlSet\Services

Troj/Haxdoor-AN may add a registry entry at the following location in order to bypass the Windows firewall:

HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\List\

Troj/Haxdoor-AN attempts to download and execute files from a remote location.

Get reports about the latest virus and spyware threats delivered to your computer

In this section

Troj/Haxdoor-AN

Summary

Action

More Information