Troj/Haxdoor-DH

Please follow the instructions for removing Trojans.

Troj/Haxdoor-DH is a Trojan for the Windows platform.

Troj/Haxdoor-DH has been seen emailed as an attachment to emails with the following characteristics:

Subject line:
Rechnung #3490/2

Message text:
Sehr geehrte Kundin, sehr geehrter Kunde,

Rechnung #3490/2

Die Dateien wurden als Anhang eingefugt und können jetzt mit dieser Nachricht gesendet
werden.

-----------------------------------------------------------------
Ich verwende die kostenlose Version von SPAMfighter,
die bis jetzt 758 Spammails entfernt hat.
Fur private Anwender ist SPAMfighter vollig kostenlos!

Attached file:
die_rechnung.exe

When Troj/Haxdoor-DH is installed the following files are created:

<System>\kgctini.dat
<System>\lps.dat
<System>\qo.dll
<System>\qo.sys
<System>\svjvpn.sys
<System>\svkvpn.dll
<System>\svkvpn.sys

The files qo.dll, qo.sys, svjvpn.sys, svkvpn.dll and svkvpn.sys are detected as Troj/Haxdor-Fam.

The following registry entries are created to run code exported by svkvpn.dll on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\svkvpn
DllName
svkvpn.dll

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\svkvpn
Startup
ER03Sb5fex

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\svkvpn
Impersonate
1

The file svjvpn.sys is registered as a new system driver service named "svjvpn", with a display name of "MCRT accelerator". Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\svjvpn\

Sophos's anti-virus products include Behavioral Genotype™ Protection, which can proactively guard against new threats without requiring an update. Sophos customers have been protected against Troj/Haxdoor-DH (detected as Mal/Packer) since version 4.10.