Troj/Haxdoor-ED

Aliases	Backdoor.Win32.Haxdoor.ed
Category	Viruses and Spyware
Type	Trojan
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


Affected operating systems	Windows
Characteristics	Drops more malware Installs itself in the registry
Protection available since	8 September 2005 06:03:24 (GMT)
Last updated	25 October 2005 07:57:53 (GMT)
Detected by	All Sophos products

Sophos beta program
Register now for our latest beta tests

Endpoint Security and Control 9.0
Small business solutions 4.0

Action

Summary
Action
More Information

Please follow the instructions for removing Trojans.

More Information

Summary
Action
More Information

Troj/Haxdoor-ED is a Trojan for the Windows platform.

When run, Troj/Haxdoor-ED creates the following files in the Windows system folder:

avpu32.dll
avpu32.sys
avpu64.sys
klogini.dll
p3.ini
qy.sys
qz.dll
qz.sys

The Trojan logs keypresses to the file klogini.dll. The p3.ini file is harmless and may be safely deleted. The remainder of these files are detected by Sophos's Anti-Virus products as Troj/Haxdoor-ED.

Troj/Haxdoor-ED is a backdoor Trojan which allows remote attackers the ability to gain access and control over the infected computer. The Trojan attempts to steal login details for WebMoney and other online accounts.

The following entries are created in the system registry:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avpu32
secureUID

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avpu32
secureTIME

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avpu32
DllName
avpu32.dll

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avpu32
Startup
"MmAllocMap"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avpu32
Impersonate
dword:00000001

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avpu32
Asynchronous
dword:00000001

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avpu32
MaxWait
dword:00000001

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\avpu32.sys
(default)
"Driver"

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\avpu64.sys
(default)
"Driver"

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\avpu32.sys
(default)
"Driver"

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\avpu64.sys
(default)
"Driver"

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
EnforceWriteProtection
dword:00000000

HKLM\SYSTEM\CurrentControlSet\Services\avpu32
Type
dword:00000001

HKLM\SYSTEM\CurrentControlSet\Services\avpu32
Start
dword:00000002

HKLM\SYSTEM\CurrentControlSet\Services\avpu32
ErrorControl
dword:00000000

HKLM\SYSTEM\CurrentControlSet\Services\avpu32
ImagePath
"<System>\avpu32.sys"

HKLM\SYSTEM\CurrentControlSet\Services\avpu32
DisplayName
"TCPIP Kernel32"

HKLM\SYSTEM\CurrentControlSet\Services\avpu32\Security
Security

HKLM\SYSTEM\CurrentControlSet\Services\avpu64
Type
dword:00000001

HKLM\SYSTEM\CurrentControlSet\Services\avpu64
Start
dword:00000001

HKLM\SYSTEM\CurrentControlSet\Services\avpu64
ErrorControl
dword:00000000

HKLM\SYSTEM\CurrentControlSet\Services\avpu64
ImagePath
"<System>\avpu64.sys"

HKLM\SYSTEM\CurrentControlSet\Services\avpu64
DisplayName
"TCPIP Kernel"

Get reports about the latest virus and spyware threats delivered to your computer

In this section

Troj/Haxdoor-ED

Summary

Action

More Information