high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Protection available since | 23 August 2004 08:12:18 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
More Information
Troj/Haxdoor-H is a backdoor Trojan that provides unauthorised access to an infected computer.
The installation executable for Troj/Haxdoor-H drops the following files to the Windows system folder; i.a3d, draw32.dll, p2.ini, cm.dll, vdnt32.sys, hm.sys, memlow.sys, wd.sys, klogini.dll (not all of these files will be installed under Windows 95/98/ME). i.a3d, p2.ini and klogini.dll are harmless data files.
On NT-based versions of Windows services are created named memlow and vdnt32 (with display names of "LMMngr" and "MemDRV") to run memlow.sys and vdnt32.sys respectively, creating registry entries under:
HKLM\SYSTEM\CurrentControlSet\Services\memlow\
HKLM\SYSTEM\CurrentControlSet\Services\vdnt32\
The new memlow service has a startup type set to automatic, so that the service is run automatically on startup.
On NT-based versions of Windows sub-keys of the following new registry entry are created to load draw32.dll on startup and run the "MemManager" export:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\draw32\
Under Windows 95/98/ME one of the following sets of registry entries are created, so that draw32.dll is loaded on startup and the "MemManager" export called:
HKLM\System\currentcontrolset\control\mprser\
Dllname = draw32.dll
HKLM\System\currentcontrolset\control\mprser\
Entrypoint = "MemManager"
HKLM\System\currentcontrolset\control\mprser\
StackSize = 0
HKLM\System\currentcontrolset\control\MPRServices\
TestService\Dllname = draw32.dll
HKLM\System\currentcontrolset\control\MPRServices\
TestService\Entrypoint = "MemManager"
HKLM\System\currentcontrolset\control\MPRServices\
TestService\StackSize = 0
(the draw32.dll code will be run under the Mprexe system process.)
The following registry entries are also set:
HKLM\SYSTEM\RAdmin\v2.0\Server\Parameters\DisableTrayIcon = 1
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\
Memory Management\EnforceWriteProtection = 0
HKLM\SYSTEM\CurrentControlSet\Control\Impersonate =
HKLM\SYSTEM\CurrentControlSet\Control\StackSize = 20:8
Troj/Haxdoor-H will delete the following files if they exist:
%SYSTEM%\drivers\klif.sys
%SYSTEM%\drivers\klpf.sys
Troj/Haxdoor-H attempts to disable certain anti-virus and security related programs and may attempt to prevent itself and its dropped components from being deleted.
|
