Troj/Haxdoor-DA

Please follow the instructions for removing Trojans.

Troj/Haxdoor-DA is a Trojan for the Windows platform.

Troj/Haxdoor-DA runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer.

Troj/Haxdoor-DA includes functionality to:

stealth its files, processes, registry entries and services
prevent itself being terminated
prevent itself being deleted
disable other software, including anti-virus, firewall and security related applications

Troj/Haxdoor-DA may arrive in an email message, such as:

Subject:
Confirmation for Order Z3566043

Message text:
Dear Customer,

Thank you for shopping at our shop !
This e-mail is to inform you that your order has been shipped out.
The following information is for your reference (see details in the attachment):
* Order No.: Z3566043
* Order Date: 08/13/2006
------------------------------
SUBTOTAL : $1,769.99
SALESTAX : $0.00
SHIPPING : $16.81
TOTAL : $1,786.80
------------------------------
* Ship Via: FDX Overnight Delivery

[Ship Date :] 08/14/2006 [Tracking No:] 708745655472
Please note that if your order includes more than one package, the
packages may not be delivered at the same time due to the shipping carrier's
schedule and the delivery method, and this is out of our control.
In addition, backordered items will be shipped separately.
You may check the status of your package's progress at our website.
Simply click on "Customer Service", then log into the "Member Center".
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Customers who leave comments for us at either ResellerRatings.com or
Pricegrabber will be eligible to receive a flash drive or other
cool prize! FOUR drawings will take place every month -- one drawing
from each review site on the 1st and the 15th of every calendar month.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Thank you for shopping with us!
15% restocking fee applies to all refunds. All products must be
returned in like-new condition, including original packaging and
all documentation and accessories. Charges will be applied for all
missing accessories or parts.
Our shop will not accept items that have been physically damaged or
misused. Return periods for different product categories range from
zero to 30 days.

Attached file:
Z3566043.zip Troj/Haxdoor-DA is a Trojan for the Windows platform.

Troj/Haxdoor-DA runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer.

Troj/Haxdoor-DA includes functionality to:

stealth its files, processes, registry entries and services
prevent itself being terminated
prevent itself being deleted
disable other software, including anti-virus, firewall and security related applications

Troj/Haxdoor-DA may arrive in an email message, such as:

Subject:
Confirmation for Order Z3566043

Message text:
Dear Customer,

Thank you for shopping at our shop !
This e-mail is to inform you that your order has been shipped out.
The following information is for your reference (see details in the attachment):
* Order No.: Z3566043
* Order Date: 08/13/2006
------------------------------
SUBTOTAL : $1,769.99
SALESTAX : $0.00
SHIPPING : $16.81
TOTAL : $1,786.80
------------------------------
* Ship Via: FDX Overnight Delivery

[Ship Date :] 08/14/2006 [Tracking No:] 708745655472
Please note that if your order includes more than one package, the
packages may not be delivered at the same time due to the shipping carrier's
schedule and the delivery method, and this is out of our control.
In addition, backordered items will be shipped separately.
You may check the status of your package's progress at our website.
Simply click on "Customer Service", then log into the "Member Center".
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Customers who leave comments for us at either ResellerRatings.com or
Pricegrabber will be eligible to receive a flash drive or other
cool prize! FOUR drawings will take place every month -- one drawing
from each review site on the 1st and the 15th of every calendar month.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Thank you for shopping with us!
15% restocking fee applies to all refunds. All products must be
returned in like-new condition, including original packaging and
all documentation and accessories. Charges will be applied for all
missing accessories or parts.
Our shop will not accept items that have been physically damaged or
misused. Return periods for different product categories range from
zero to 30 days.

Attached file:
Z3566043.zip

When Troj/Haxdoor-DA is installed the following files are created:

<Windows system folder>\kgctini.dat (harmless, may be deleted)
<Windows system folder>\lps.dat (data file, may be deleted)
<Windows system folder>\qo.dll
<Windows system folder>\qo.sys
<Windows system folder>\ycsvgd.sys
<Windows system folder>\ydsvgd.dll
<Windows system folder>\ydsvgd.sys

The files qo.dll, qo.sys, ycsvgd.sys, ydsvgd.dll and ydsvgd.sys are detected as
Troj/Haxdor-Fam.

The following registry entries are created to run code exported by ydsvgd.dll on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ydsvgd
DllName
ydsvgd.dll

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ydsvgd
Startup
XWD33Sifix

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ydsvgd
Impersonate
1

The file ycsvgd.sys is registered as a new system driver service named "ycsvgd", with a display name of "NDIS OSI". Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\ycsvgd\

Troj/Haxdoor-DA also sets the following registry entries to ensure startup in SafeMode:

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ycsvgd.sys

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ycsvgd.sys