Troj/Haxdoor-AM

Aliases	Backdoor.Win32.Haxdoor.ej BackDoor-BAC.dll BackDoor-BAC.gen
Category	Viruses and Spyware
Type	Trojan
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


Affected operating systems	Windows
Protection available since	1 October 2005 15:54:09 (GMT)
Detected by	All Sophos products

Free virus scan
Download the Threat Detection Test

Free virus, spyware, and adware scan
Test your existing anti-virus protection
Find threats your anti-virus missed

Action

Summary
Action
More Information

Please follow the instructions for removing Trojans.

More Information

Summary
Action
More Information

Troj/Haxdoor-AM is a Trojan for the Windows platform.

Troj/Haxdoor-AM runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer.

Troj/Haxdoor-AM includes functionality to:

- stealth its files, processes, registry entries and services
- prevent itself being terminated
- prevent itself being deleted
- disable other software, including anti-virus, firewall and security related applications
- log keystrokes and steal password information
- intercept banking information
- download and execute files from a remote location
- change the default browser startpage and similar information

When Troj/Haxdoor-AM is installed the following files are created:

<System>\avpu32.dll
<System>\avpu64.sys
<System>\klgcptini.dat
<System>\qz.dll
<System>\qz.sys
<System>\stt82.ini

klgcptini.dat and stt82.ini are clean log files. The other files are detected as Troj/Haxdoor-AM.

Troj/Haxdoor-AM may attempt to inject avpu32.dll into the process explorer.exe.

Troj/Haxdoor-AM attempts to delete a number of registry entries under the following location:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

Registry entries may be created at one of the places to run code exported by avpu32.dll on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avpu32

HKLM\System\CurrentControlSet\Control\MPRServices\TestService

The file avpu64.sys may be registered as a new system driver service named "avpu32", with a display name of "TCPIP2 Kernel32" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\avpu32\

The file avpu64.sys may be registered as a new system driver service named "avpu64", with a display name of "TCPIP2 Kernel". Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\avpu64\

Troj/Haxdoor-AM may set entries at the following locations to allow its components to be run in Safe Mode:

SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\

SYSTEM\CurrentControlSet\Control\SafeBoot\Network\

Get reports about the latest virus and spyware threats delivered to your computer

In this section

Troj/Haxdoor-AM

Summary

Action

More Information