Sophos

Troj/HacDef-K

Aliases
  • Backdoor.HacDef.e
  • BKDR_HACDEF.D
Category
Type
What to do
Prevalence low high

Summary

 
Affected operating systems Windows
Characteristics
  • Drops more malware
  • Installs itself in the registry
Protection available since 31 August 2004 08:07:00 (GMT)
Detected by All Sophos products
Download Free virus scan
Download the Threat Detection Test
  • Free virus, spyware, and adware scan
  • Test your existing anti-virus protection
  • Find threats your anti-virus missed

Action

Please follow the instructions for removing Trojans.

Replace the Hosts file from a backup or edit it in Notepad to remove the changes that the Trojan has made.

You should also change your Internet Explorer settings using Tools|Internet options|General to remove any modifications made by the Trojan.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entries. The removal of these entries is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Network Service

and delete it if it exists.

Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entry:

HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\Run\Network Service

and delete it if it exists.

Close the registry editor.

More Information

Troj/HacDef-K is a backdoor Trojan that is targeted at NT/2000/XP operating systems. As well as allowing unauthorised remote access to the infected computer, this Trojan is able to hide information about the infected system including files, folders, processes, services and registry entries.

Troj/HacDef-K copies itself to the Windows folder as SVHOST.EXE and sets the following registry entries so as to run itself on system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Network Service
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Network Service

Troj/HacDef-K drops a file to the Windows folder called HXDEFDRV.SYS which is detected as Troj/He4Hook-A. Troj/HacDef-K also drops a file to the Windows system folder with a random filename.

Troj/HacDef-K intercepts various system services and attempts to terminate various security or monitoring processes.

Troj/HacDef-K modifies various internet start and search pages including the following:

HKLM\Software\Microsoft\Internet Explorer\Main\Start Page
HKLM\Software\Microsoft\Internet Explorer\Main\Search Page
HKLM\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
HKLM\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
HKLM\Software\Microsoft\Internet Explorer\Main\Search URL
HKLM\Software\Microsoft\Internet Explorer\Main\Search Bar
HKLM\Software\Microsoft\Internet Explorer\Main\CustomizeSearch
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
HKCU\Software\Microsoft\Internet Explorer\Main\Search Page
HKCU\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
HKCU\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
HKCU\Software\Microsoft\Internet Explorer\Main\Search URL
HKCU\Software\Microsoft\Internet Explorer\Main\Search Bar

Troj/HacDef-K modifies the HOSTS file located in the subfolder drivers\etc\hosts of the Windows system folder, mapping certain websites to the loopback address 127.0.0.1 in an attempt to prevent access to these sites, and mapping other websites to 213.159.118.228 in order to redirect them to this address. Typically the following mappings will be added to the HOSTS file:

213.159.118.228 collections.inhost.info
213.159.118.228 collections.inhost2.info
213.159.118.228 1-se.com
213.159.118.228 58q.com
213.159.118.228 aifind.cc
213.159.118.228 aifind.info
213.159.118.228 allneedsearch.com
213.159.118.228 approvedlinks.com
213.159.118.228 auto.ie.searchforge.com
213.159.118.228 awebfind.biz
213.159.118.228 best.royalsearch.net
213.159.118.228 cracks.am
213.159.118.228 default-homepage-network.com
213.159.118.228 find.microgirls.com
213.159.118.228 find4u.net
213.159.118.228 freshvideogals.com
213.159.118.228 i-lookup.com
213.159.118.228 ie-search.com
213.159.118.228 in.webcounter.cc
213.159.118.228 itseasy.us
213.159.118.228 just.find-itnow.com
213.159.118.228 link.startmake.com
213.159.118.228 mysearchnow.com
213.159.118.228 nativehardcore.com
213.159.118.228 qwertysearch123.biz
213.159.118.228 search.ieplugin.com
213.159.118.228 search.psn.cn
213.159.118.228 searchbar.findthewebsiteyouneed.com
213.159.118.228 searchcentrix.com
213.159.118.228 searchmyrequest.com
213.159.118.228 super-spider.com
127.0.0.1 hard-virgins.com
127.0.0.1 www.hard-virgins.com
127.0.0.1 petite-virgins.biz
127.0.0.1 wwww.petite-virgins.biz
127.0.0.1 only-virgins.com
127.0.0.1 www.only-virgins.com
213.159.118.228 t.rack.cc
213.159.118.228 teen-biz.com
213.159.118.228 teenhqpics.com
213.159.118.228 tits.hardcore4ever.net
213.159.118.228 webcoolsearch.com
213.159.118.228 wmmse.com
213.159.118.228 www.008i.com
213.159.118.228 www.2fastsearch.net
213.159.118.228 www.8095.com
213.159.118.228 www.alfa-search.com
213.159.118.228 www.boredlife.com
213.159.118.228 www.couldnotfind.com
213.159.118.228 www.cracks.am
213.159.118.228 www.daum.net
213.159.118.228 www.dreamwiz.com
213.159.118.228 www.find-itnow.com
213.159.118.228 www.find-itnow.com
213.159.118.228 www.find4u.net
213.159.118.228 www.firstbookmark.com
213.159.118.228 www.gajai.com
213.159.118.228 www.hand-book.com
213.159.118.228 www.hao123.com
213.159.118.228 www.hotsearchbox.com
213.159.118.228 www.hotwebsearch.com
213.159.118.228 www.hugesearch.net
213.159.118.228 www.iquicksearch.com
213.159.118.228 www.lookfor.cc
213.159.118.228 www.maxxxhosters.com
213.159.118.228 www.naver.com
213.159.118.228 www.nkvd.us
213.159.118.228 www.novafuck.com
213.159.118.228 www.ohcorea.com
213.159.118.228 www.omega-search.com
213.159.118.228 www.onet.pl
213.159.118.228 www.power-search.info
213.159.118.228 www.rightfinder.net
213.159.118.228 www.search-1.net
213.159.118.228 www.search-and-go.com
213.159.118.228 www.search-dot.com
213.159.118.228 www.search-space.com
213.159.118.228 www.searchforge.com
213.159.118.228 www.searching-the-net.com
213.159.118.228 www.searchv.com
213.159.118.228 www.searchxl.com
213.159.118.228 www.seznam.cz
213.159.118.228 www.slotch.com
213.159.118.228 www.spidersearch.com
213.159.118.228 www.startium.com
213.159.118.228 www.therealsearch.com
213.159.118.228 www.ttjj.com
213.159.118.228 www.viewpornkey.com
213.159.118.228 www.wazzupnet.com
213.159.118.228 www.websearch.com
213.159.118.228 www.windowws.cc
213.159.118.228 www.xgmm.com
213.159.118.228 xwebsearch.biz
213.159.118.228 yourbookmarks.ws

RSS|Atom
Get reports about the latest virus and spyware threats delivered to your computer