Troj/Haxdoor-CP

Please follow the instructions for removing Trojans.

Troj/Haxdoor-CP is a Trojan for the Windows platform.

Troj/Haxdoor-CP runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer.

Troj/Haxdoor-CP includes functionality to:

- stealth its files, processes, registry entries and services
- prevent itself being terminated
- prevent itself being deleted
- disable other software, including anti-virus, firewall and security related applications Troj/Haxdoor-CP is a Trojan for the Windows platform.

Troj/Haxdoor-CP runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer.

Troj/Haxdoor-CP includes functionality to:

- stealth its files, processes, registry entries and services
- prevent itself being terminated
- prevent itself being deleted
- disable other software, including anti-virus, firewall and security related applications

Troj/Haxdoor-CP may arrive in email with the following characteristics:

Subject line: Confirmation for Order WC2905036

Message text: "Dear Sir/Madam,

Thank you for shopping with our internet shop. Your order, WC2905036, has been received. Summary of your order you can see in the attachment file.

This email is to confirm the receipt of your order. Please do not reply as this email was sent from our automated confirmation system.

Please Note: There is no need to re-send your request or call our customer service department for status or tracking number, this will only delay our response time to you. Rest assured, we are making every effort to process and ship your order within 1 to 2 business days. We appreciate your understanding and patience and do value your business.

Once your order has been processed and shipped a FEDEX Tracking number will be automatically emailed to the address provided.

Please Note: Tracking information will be available in FedEx's system only after 10pm EST Monday thru Friday. If you receive a tracking number on Sunday, you will be able to track it Monday evening after 10pm EST.

All orders placed including 1-2 or 2-3 business day options are shipped within 48 hours providing the merchandise is in stock.
All FedEx Ground orders will take 7-10 business days to arrive.

Some packages may require a signature upon delivery. These packages will not be left without a signature. For your convenience, we will email you a FedEx tracking number on all successfully processed and shipped orders.

All Plasma TVs, DVD players, Scanners, Fax Machines, Receivers, Home Theater, and Printers are not returnable after box is opened.

To insure the best handling of your order please allow 24-48 business hours for the processing and the shipping of your order. Thank you for your cooperation.

We hope you enjoy your order! Thank you for shopping with us!"

Attached file: WC2905036.zip

When Troj/Haxdoor-CP is installed the following files are created:

<System>\kgctini.dat
<System>\lps.dat
<System>\qo.dll
<System>\qo.sys
<System>\ycsvga.sys
<System>\yvsvga.dll
<System>\yvsvga.sys

The files qo.dll, qo.sys, ycsvga.sys, yvsvga.dll and yvsvga.sys are detected as Troj/Haxdor-Fam.

The following registry entries are created to run code exported by yvsvga.dll on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\yvsvga
DllName
yvsvga.dll

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\yvsvga
Startup
XFD00Safex

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\yvsvga
Impersonate
1

The file ycsvga.sys is registered as a new system driver service named "ycsvga", with a display name of "NDIS OSI". Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\ycsvga\