high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Protection available since | 22 September 2004 09:36:21 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
More Information
Troj/Haxdoor-L is a backdoor Trojan that provides unauthorised access to an infected computer via IRC channels.
The installation executable for Troj/Haxdoor-L copies itself to the Windows system folder and drops the following files to the system folder: i.a3d or ps.a3d, draw32.dll, p2.ini, cm.dll, vdnt32.sys, hm.sys, memlow.sys, wd.sys and klogini.dll (not all of these files will be installed under Windows 95/98/ME). Some of these files are detected as Troj/Haxdoor-K. i.a3d/ps.a3d, p2.ini and klogini.dll are harmless data files for which there is no detection.
On NT-based versions of Windows services are created named memlow and vdnt32 (with display names of "LMMngr" and "MemDRV") to run memlow.sys and vdnt32.sys respectively, creating registry entries under:
HKLM\SYSTEM\CurrentControlSet\Services\memlow\
HKLM\SYSTEM\CurrentControlSet\Services\vdnt32\
The new memlow service has a startup type set to automatic, so that it is activated automatically on startup. vdnt32.sys is configured to be loaded automatically on startup as a driver.
On NT-based versions of Windows sub-keys of the following new registry entry are created to load draw32.dll on startup and run the "MemManager" export:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
Notify\draw32\
Under Windows 95/98/ME one of the following sets of registry entries is created, so that draw32.dll is loaded on startup and the "MemManager" export called:
HKLM\System\currentcontrolset\control\mprser\
Dllname = draw32.dll
HKLM\System\currentcontrolset\control\mprser\
Entrypoint = "MemManager"
HKLM\System\currentcontrolset\control\mprser\
StackSize = 0
HKLM\System\currentcontrolset\control\MPRServices\
TestService\Dllname = draw32.dll
HKLM\System\currentcontrolset\control\MPRServices\
TestService\Entrypoint = "MemManager"
HKLM\System\currentcontrolset\control\MPRServices\
TestService\StackSize = 0
(causing the draw32.dll code to be run under the Mprexe system process.)
The following registry entries are also set:
HKLM\SYSTEM\RAdmin\v2.0\Server\Parameters\DisableTrayIcon = 1
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\
Memory Management\EnforceWriteProtection = 0
HKLM\SYSTEM\CurrentControlSet\Control\Impersonate =
HKLM\SYSTEM\CurrentControlSet\Control\StackSize
Troj/Haxdoor-L will delete the following files if they exist:
%SYSTEM%\drivers\klif.sys
%SYSTEM%\drivers\klpf.sys
Troj/Haxdoor-L attempts to disable certain anti-virus and security related programs and may attempt to prevent its registry entries and files from being deleted.
Each time the Trojan is run it tries to connect to a remote IRC server on port 6667 using a random nickname and join a predetermined channel. The Trojan then runs continuously in the background listening on the channel for instructions being specified by a remote intruder.
|
