Troj/Haxdoor-AC

Aliases	Trojan.Haxdoor.ac
Category	Viruses and Spyware
Type	Trojan
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


Affected operating systems	Windows
Characteristics	Drops more malware
Protection available since	5 November 2004 09:08:14 (GMT)
Detected by	All Sophos products

Sophos beta program
Register now for our latest beta tests

Endpoint Security and Control 9.0
Small business solutions 4.0

Action

Summary
Action
More Information

Please follow the instructions for removing Trojans.

More Information

Summary
Action
More Information

Troj/Haxdoor-AC is a backdoor Trojan that provides remote attackers with access to the infected computer.

The installation executable for Troj/Haxdoor-AC copies itself to the Windows system folder and drops the following files to the system folder: i.a3d or ps.a3d, boot32.sys, p2.ini, c3.dll, c3.sys, c4.sys, debugg.dll, sdmapi.sys and klogini.dll (not all of these files will be installed under Windows NT/XP). i.a3d/ps.a3d, p2.ini and klogini.dll are harmless data files for which there is no detection. Files c4.sys and boot32.sys are both detected by Sophos Anti-Virus as Troj/Haxdoor-G.

On NT-based versions of Windows services are created named boot32 and sdmapi
(with display names of "KeBoot" and "KeSDM") to run boot32.sys and sdmapi.sys respectively, creating registry entries under:

HKLM\SYSTEM\CurrentControlSet\Services\boot32\
HKLM\SYSTEM\CurrentControlSet\Services\sdmapi\

The new boot32 service has a startup type set to automatic, so that it is activated automatically on startup. sdmapi.sys is configured to be loaded automatically on startup as a system driver.

On NT-based versions of Windows sub-keys of the following new registry entry are created to load debugg.dll on startup and run the "MemManager" export:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
Notify\debugg\

Under Windows 95/98/ME one of the following sets of registry entries is created, so that draw32.dll is loaded on startup and the "MemManager" export called:

HKLM\System\CurrentControlSet\control\debugg\
Dllname = debugg.dll

HKLM\System\CurrentControlSet\control\debugg\
Entrypoint = "MemManager"

HKLM\System\CurrentControlSet\control\debugg\
StackSize = 0

HKLM\System\CurrentControlSet\control\MPRServices\
TestService\Dllname = draw32.dll

HKLM\System\CurrentControlSet\control\MPRServices\
TestService\Entrypoint = "MedManager"

HKLM\System\CurrentControlSet\control\MPRServices\
TestService\StackSize = 0

(causing the draw32.dll code to be run under the Mprexe system process.)

The following registry entries are also set:

HKLM\System\RAdmin\v2.0\Server\Parameters\
DisableTrayIcon = 1

HKLM\System\CurrentControlSet\Control\Session Manager\
Memory Management\EnforceWriteProtection = 0

HKLM\System\CurrentControlSet\Control\Impersonate
HKLM\System\CurrentControlSet\Control\StackSize

Troj/Haxdoor-AC attempts to disable certain Anti-Virus and security related programs and may attempt to prevent its registry entries and files from being deleted.

The Trojan then runs continuously in the background listening for instructions from a remote user.

Sophos Anti-Virus products since version 3.85 have been capable of detecting this Trojan as Troj/Haxdoor-Fam without requiring an update.

Get reports about the latest virus and spyware threats delivered to your computer

In this section

Troj/Haxdoor-AC

Summary

Action

More Information