high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Protection available since | 26 September 2005 22:43:45 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
More Information
Troj/Haxdoor-AK is a backdoor Trojan for the Windows platform.
Troj/Haxdoor-AK allows a remote attacker to run arbitrary commands. The Trojan may download and run further malicious code.
The Trojan uses stealthing techniques to avoid being terminated.
When Troj/Haxdoor-AK is installed the following files are created:
<Windows system folder>\nodantivir.sys
<Windows system folder>\mcfG7A.dll
These files are also detected as Troj/Haxdoor-AK. The file nodantivir.sys provides stealthing functionality and has been detected as Troj/Haxdor-Gen since version 3.93.
The following registry entries are created to run code exported by mcfG7A.dll on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mcfG7A
DllName
mcfG7A.dll
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mcfG7A
Startup
mcfG7A
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mcfG7A
Impersonate
1
The file nodantivir.sys is registered as a new system driver service named "nodantivir", with a display name of "NOD AV service". Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\nodantivir\
|
