Troj/Haxdor-Fam

The name Troj/Haxdor-Fam is used where a file belongs to a particular family of Trojans, but the variant is not separately identified. Sophos's proactive protection technology will identify such files as a -Fam variant.

1. Ensure that you are using the most recent IDE files, as more precise detection could now be available. If necessary
   • update with the latest IDE files and
   • repeat the scan.
2. Please send us a sample to assist in improving our technology.
3. Use the instructions for removing generically detected files to delete the file from your computer.
4. If you require further assistance with disinfection, contact support.

Troj/Haxdor-Fam is a family of backdoor Trojans that provide unauthorized access to an infected computer. Troj/Haxdor-Fam is a family of backdoor Trojans that provide unauthorized access to an infected computer.

Some versions of Troj/Haxdor-Fam attempt to copy themselves to the Windows system folder with the filename W32_SS.EXE or VTD_16.EXE and may set the following registry entries so as to run themselves on system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Some versions of Troj/Haxdor-Fam attempt to drop some of the following files in the Windows system folder:

DEBUG.DLL
DRAW32.DLL
C3.DLL
CM.DLL
SDMAPI.SYS
BOOT32.SYS
VDNT32.SYS
MEMLOW.SYS
C3.SYS
C4.SYS
HM.SYS
WD.SYS

Troj/Haxdor-Fam may drop further files for keystroke logging or to direct how the Trojan will behave with filenames including the following:

P2.INI
KLOG.SYS
KLO5.SYS
KLIF.SYS
KLPF.SYS
KLOGINI.DLL
IN.A3D
I.A3D
PS.A3D
ERROR.A3D

Some versions of Troj/Haxdor-Fam attempt to disable certain anti-virus and security programs and may attempt to prevent themselves and their dropped components from being deleted.

Troj/Haxdor-Fam may also attempt to create two services in order to run two of the dropped files on system startup. One service typically has a Service Name of SDMAPI or VDNT32, a Display Name of KESDM or MEMDRV and runs SDMAPI.SYS or VDNT32.SYS. The other service typically has a Service Name of BOOT32 or MEMLOW, a Display Name of KEBOOT or LMMNGR and runs BOOT32.SYS or MEMLOW.SYS.

Some versions of Troj/Haxdor-Fam may drop a file to overwrite WIN.COM or NTDETECT.COM which will overwrite all sectors of all available hard disks. This file may be dropped after a specified date if the P2.INI file is so configured, or if the appropriate command is received by the backdoor Trojan.

Some versions of Troj/Haxdor-Fam provide a large degree of stealthing to prevent the detection and removal of its files, registry entries and services, as well as providing the means to restore them if they are removed.