high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Protection available since | 17 March 2005 20:37:53 (GMT) |
| Last updated | 18 March 2005 15:22:34 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
More Information
Troj/Haxdoor-AE is a backdoor Trojan for the Windows platform that provides unauthorised remote access to the infected computer.
The main executable component of Troj/Haxdoor-AE may be located with the filename vtd_16.exe in the Windows system folder or upd1.exe in the TEMP folder.
Once executed the main component of the Troj/Haxdoor-AE drops the following files to the Windows system folder:
cm.dll
draw32.dll
hm.sys
memlow.sys
p2.ini
vdnt32.sys
wd.sys
i.a3d
klogini.dll
where p2.ini, i.a3d and klogini.dll are log data files, hm.sys and vdnt32.sys are components of the Trojan, and cm.dll, draw32.dll, memlow.sys and wd.sys are detected by the Troj/Haxdoor-Fam.
In order to be able to run on restart Troj/Haxdoor-AE installs service process and driver with the following characteristics:
servicename = memlow
displayname = "LMMngr"
imagepath = \\%Windows%\%system%\memlow.sys
and
drivername = vdnt32
displayname = "MemDRV"
imagepath = \\%Windows%\%system%\vdnt32.sys
Also Troj/Haxdoor-AE adds the next values to Winlogon Notify registry entries on the Winodws NT :
name = draw32
path = draw32.dll
notifyfunction = "MedManager"
An entry may be added to the following registry entry with a path to the file vtd_16.exe:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
|
