high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Included in our products from | November 2006 (4.11) |
| Protection available since | 24 September 2006 15:21:19 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
More Information
Troj/Haxdoor-DE is a Trojan for the Windows platform.
When Troj/Haxdoor-DE is installed the following files are created:
<System>\lgn1216a.dll
<System>\mm77lgn.sys
The file lgn1216a.dll is detected as Troj/Haxdor-Fam and the file mm77lgn.sys is detected as Troj/Haxdor-Gen.
The following registry entries are created to run code exported by lgn1216a.dll on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\lgn1216a
DllName
lgn1216a.dll
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\lgn1216a
Startup
lgn1216a
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\lgn1216a
Impersonate
1
The file mm77lgn.sys is registered as a new system driver service named "mm77lgn", with a display name of "MM77lgn control service". Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\mm77lgn\
The following registry entries are set, affecting internet security:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\ FirewallPolicy\
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\ FirewallPolicy\StandardProfile\
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\ FirewallPolicy\StandardProfile\AuthorizedApplications\
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\ FirewallPolicy\StandardProfile\AuthorizedApplications\List\
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\ FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS
Explorer.EXE
<Windows>\Explorer.EXE:*:Enabled:explorer
|
