Troj/Haxdoor-Q

Aliases	Backdoor.Win32.Haxdoor.ak
Category	Viruses and Spyware
Type	Trojan
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


Affected operating systems	Windows
Characteristics	Drops more malware Installs itself in the registry
Protection available since	4 January 2005 09:22:48 (GMT)
Detected by	All Sophos products

Free virus scan
Download the Threat Detection Test

Free virus, spyware, and adware scan
Test your existing anti-virus protection
Find threats your anti-virus missed

Action

Summary
Action
More Information

Please follow the instructions for removing Trojans.

More Information

Summary
Action
More Information

Troj/Haxdoor-Q is a backdoor Windows Trojan that provides unauthorised access to an infected computer.

When run the Trojan drops the files cm.dll, draw32.dll, hm.sys, vdnt32.sys, mewlow.sys, wd.sys in the Windows System folder (not all of these files may be installed under Windows 95/98/ME).

Files hm.sys and vdnt32.sys are currently being detected by Sophos as Troj/Haxdor-Fam.

Troj/Haxdoor-Q also creates the harmless data files p2.ini and i.a3d in the Windows System folder. These data files are non-viral and can be safely deleted.

On Windows NT-based operating systems, the Trojan creates two services named vdnt32 (with the display name "MemDRV") and mewlow (with the display name "LMMngr") to run vdnt32.sys and mewlow.sys respectively. Troj/Haxdoor-Q then creates the following registry entries to run these services on computer startup:

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VDNT32
HKLM\SYSTEM\CurrentControlSet\Services\vdnt32
HKLM\SYSTEM\CurrentControlSet\Services\memlow

On Windows NT-based operating systems, Troj/Haxdoor-Q creates the following registry entry so as to load draw32.dll on computer startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
Notify\draw32\

On Windows 9x operating systems, the Trojan creates the following registry entries so as to use the MPR service to run itself on computer startup:

HKLM\System\CurrentControlSet\Control\MPRServices\TestService
DllName
draw32.dll

HKLM\System\CurrentControlSet\Control\MPRServices\TestService
EntryPoint
MedManager

HKLM\System\CurrentControlSet\Control\MPRServices\TestService
StackSize
dword:00000000

HKLM\System\CurrentControlSet\Control
StackSize
4:1

HKLM\System\CurrentControlSet\Control
Impersonate
<random number>

When run Troj/Haxdoor-Q also creates the following registy entry:

HKLM\System\RAdmin\v2.0\Server\Parameters
DisableTrayIcon
hex:01,00,00,00

Sophos's anti-virus products include proactive protection technology, which can defend against new threats without requiring an update. Sophos customers have been protected against Troj/Haxdoor-Q (detected as Troj/Haxdor-Fam) since version 3.89.

Get reports about the latest virus and spyware threats delivered to your computer

In this section

Troj/Haxdoor-Q

Summary

Action

More Information