high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Protection available since | 15 May 2005 15:46:24 (GMT) |
| Last updated | 20 May 2005 09:31:54 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
Please contact technical support.
More Information
Troj/Haxdoor-Y is a backdoor Trojan that provides unauthorised access to an infected system.
Troj/Haxdoor-Y attempts to use stealthing to prevent the detection and removal of its files. Troj/Haxdoor-Y is a backdoor Trojan that provides unauthorised access to an infected system.
Troj/Haxdoor-Y attempts to use stealthing to prevent the detection and removal of its files.
When the Trojan is installed the following files may be created:
<SYSTEM>\avpx32.dll
<SYSTEM>\avpx32.sys
<SYSTEM>\avpx64.sys
<SYSTEM>\p3.ini
<SYSTEM>\qy.sys
<SYSTEM>\qz.dll
<SYSTEM>\qz.sys
The Trojan registers AVPX32.SYS as a service process AVPX32 with display name "AVPX TCP". The Trojan also registers AVPX64.SYS as a driver AVPX64 with display name "AVPX64 TCP".
The Trojan creates the following registry entries in order to run itself on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avpx32
DllName
61,76,70,78,33,32,2e,64,6c,6c,00
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avpx32
Startup
MmMapView3
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avpx32
Impersonate
1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avpx32
Asynchronous
1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avpx32
MaxWait
1
|
