Troj/Haxdoor-E

Aliases	Backdoor.Haxdoor BackDoor-BAC trojan BKDR_HAXDOOR.O
Category	Viruses and Spyware
Type	Trojan
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


Protection available since	13 May 2004 13:57:37 (GMT)
Detected by	All Sophos products

Free virus scan
Download the Threat Detection Test

Free virus, spyware, and adware scan
Test your existing anti-virus protection
Find threats your anti-virus missed

Action

Summary
Action
More Information

Please follow the instructions for removing Trojans.

In Windows NT/2000/XP/2003 you will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
Notify\debugg\

and delete the whole entry if it exists.

Delete the following entries, where possible (any that are locked can be safely ignored):

HKLM\SYSTEM\ControlSet001\Enum\Root\
LEGACY_SDMAPI

HKLM\SYSTEM\ControlSet001\Services\boot32

HKLM\SYSTEM\ControlSet001\Services\sdmapi

HKLM\SYSTEM\CurrentControlSet\Enum\Root\
LEGACY_SDMAPI

HKLM\SYSTEM\CurrentControlSet\Services\boot32

HKLM\SYSTEM\CurrentControlSet\Services\sdmapi

Close the registry editor.

More Information

Summary
Action
More Information

Troj/Haxdoor-E is a backdoor Trojan that provides an unauthorized access to the infected computer through the TCP port connection.

When executed Troj/Haxdoor-E copies itself to the Windows system folder with
the filename w32_ss.exe, attempts to delete klif.sys and klpf.sys files from
the Windows system drivers folder and creates services with the service names
Sdmapi and Boot32 and the display names KeSDM and KeBoot.

To be able run at the restart Troj/Haxdoor-E creates the registry entries

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
Notify\debugg\DllName = hex(2):64,65,62,75,67,67,2e,64,6c,6c,00

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
Notify\debugg\Startup = "MemManager"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
Notify\debugg\Impersonate = dword:00000001

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
Notify\debugg\Asynchronous = dword:00000001

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
debugg\MaxWait = dword:00000001

Also Troj/Haxdoor-E sets a number of registry entries associated with the
created services under the registry keys

HKLM\SYSTEM\ControlSet001\Enum\Root\
LEGACY_SDMAPI

HKLM\SYSTEM\ControlSet001\Services\boot32
HKLM\SYSTEM\ControlSet001\Services\sdmapi
HKLM\SYSTEM\CurrentControlSet\Enum\Root\
LEGACY_SDMAPI

HKLM\SYSTEM\CurrentControlSet\Services\boot32
HKLM\SYSTEM\CurrentControlSet\Services\sdmapi

Troj/Haxdoor-E creates following files in the Windows system folder:

boot32.sys
c3.dll
c3.sys
c4.sys
debugg.dll
p2.ini
sdmapi.sys

Get reports about the latest virus and spyware threats delivered to your computer

In this section

Troj/Haxdoor-E

Summary

Action

More Information