Troj/Haxdoor-K

Aliases	Backdoor.Win32.Haxdoor.ak BacDoor-BAC.gen.trojan
Category	Viruses and Spyware
Type	Trojan
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary


Affected operating systems	Windows
Characteristics	Installs itself in the registry
Protection available since	22 September 2004 07:58:49 (GMT)
Detected by	All Sophos products

Free virus scan
Download the Threat Detection Test

Troj/Haxdoor-K is a backdoor Trojan for the Windows platform that provides unauthorised access to the infected computer.

Troj/Haxdoor-K may be downloaded as a file called appl.exe from the http://babes.rompl.net/ location.

When executed theTroj/Haxdoor-K main component copies itself to the Windows system folder with the filename vtd_16.exe and drops the following files:

cm.dll
draw32.dll
hm.sys
memlow.sys
p2.ini
vdnt32.sys
wd.sys
i.a3d
klogini.dll

where p2.ini, i.a3d and klogini.dll are log data files.

In order to be able to run at the restart Troj/Haxdoor-K installs the service processes with the following characteristics:

servicename = memlow
imagepath = \\<Windows>\<system>\memlow.sys

and

servicename = vdnt32
imagepath = \\<Windows>\<system>\vdnt32.sys

and may add a new registry entry to:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\

with the path to the vtd_16.exe.

For more information please see the Troj/Haxdoor-H Trojan description.

Sophos anti-virus products since version 3.85 have been capable of detecting Troj/Haxdoor-K as Troj/Haxdor-Fam without requiring an update.

Get reports about the latest virus and spyware threats delivered to your computer