Troj/Haxdoor-BQ

Please follow the instructions for removing Trojans.

Troj/Haxdoor-BQ is a backdoor Trojan for the Windows platform.

When Troj/Haxdoor-BQ is installed the following files are created:

<Temp>\temp.exe
<System>\config\ssl
<System>\klo5.sys
<System>\klogini.dll
<System>\p3.ini
<System>\ps.a3d
<System>\qy.sys
<System>\qz.dll
<System>\qz.sys
<System>\vinm32.dll
<System>\vinm32.sys
<System>\vinm64.sys
<System>\winm32.dll
<System>\winm32.sys
<System>\winm64.sys

The files qy.sys, qz.sys, vinm32.sys, vinm64.sys, winm32.sys and winm64.sys are detected as Troj/Haxdor-Gen and the files qz.dll, vinm32.dll and winm32.dll are detected as Troj/Haxdor-Fam.

The following registry entries are created to run code exported by winm32.dll on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winm32
DllName
winm32.dll

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winm32
Startup
MemMMView7

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winm32
Impersonate
1

The file winm32.sys is registered as a new system driver service named "winm32", with a display name of "winm TCP" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\winm32\

The file winm64.sys is registered as a new system driver service named "winm64", with a display name of "winm64 TCP". Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\winm64\

The following registry entry is set, affecting internet security:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS
Explorer.EXE
<Windows>\Explorer.EXE:*:Enabled:explorer