high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Included in our products from | October 2006 (4.10) |
| Protection available since | 31 August 2006 07:23:35 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing Trojans.
More Information
Troj/Haxdoor-DC is a backdoor Trojan which allows a remote intruder to gain access and control over the computer.
Troj/Haxdoor-DC has been spammed out in email messages with the following characteristics:
Subject lines:
Secondary Highly Paid Job
Open vacancy: Perfect offer
JOB: Start earning right now!
Perfect Job. Your Chance
JOB: Change you life!
Urgent! We seek you!
Perfect Job. Your Chance
Message Text:
Hello! Maybe you can explain me what's going on? My name is Anne Forbes,
since recent times I've been working online for a company, which has a site
www.transfer-express.biz. I performed financial transactions consisted
in receiving and transferring money into different payment systems.
When I read notifications from company about new tasks, in the letter's
recipients list were more than one e-mail, including yours: glenine@bigpond.com.
Maybe you are also member of the company? The last received order was to
receive large amount of money (40000 USD) transferred on my Bank of America
account. However, the task wasn't completely fulfilled. Those properties
given by the company, turned out to be closed for some reason. I wanted to
write in Support service, but to my great surprise, the site of this
organization is not available now, and e-mail sends back letters.
I think you are somehow related to the company and will be able to help me.
I responsibly performed my duties and am willing to work again. In the
attachment I wrote the details of received payment, fed ware, and properties,
given for sending. I'm looking forward to hearing from you soon.
Anne Forbes. Troj/Haxdoor-DC is a backdoor Trojan which allows a remote intruder to gain access and control over the computer.
Troj/Haxdoor-DC includes functionality to access the internet and communicate with a remote server via HTTP.
Troj/Haxdoor-DC has been spammed out in email messages with the following characteristics:
Subject lines:
Secondary Highly Paid Job
Open vacancy: Perfect offer
JOB: Start earning right now!
Perfect Job. Your Chance
JOB: Change you life!
Urgent! We seek you!
Perfect Job. Your Chance
Message Text:
Hello! Maybe you can explain me what's going on? My name is Anne Forbes,
since recent times I've been working online for a company, which has a site
www.transfer-express.biz. I performed financial transactions consisted
in receiving and transferring money into different payment systems.
When I read notifications from company about new tasks, in the letter's
recipients list were more than one e-mail, including yours: glenine@bigpond.com.
Maybe you are also member of the company? The last received order was to
receive large amount of money (40000 USD) transferred on my Bank of America
account. However, the task wasn't completely fulfilled. Those properties
given by the company, turned out to be closed for some reason. I wanted to
write in Support service, but to my great surprise, the site of this
organization is not available now, and e-mail sends back letters.
I think you are somehow related to the company and will be able to help me.
I responsibly performed my duties and am willing to work again. In the
attachment I wrote the details of received payment, fed ware, and properties,
given for sending. I'm looking forward to hearing from you soon.
Anne Forbes.
When Troj/Haxdoor-DC is installed the following files are created:
<System>\prt47sys.sys
<System>\sysprint.dll
The file prt47sys.sys is detected as Troj/Haxdor-Gen and the file sysprint.dll is detected as Troj/Haxdor-Fam.
The following registry entries are created to run code exported by sysprint.dll on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sysprint
DllName
sysprint.dll
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sysprint
Startup
sysprint
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sysprint
Impersonate
1
The file prt47sys.sys is registered as a new system driver service named "prt47sys", with a display name of "PRT4701 Printer driver". Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\prt47sys\
The following registry entries are set, affecting internet security:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
<pathname of the Trojan executable>
<original filename>:*:Enabled:explorer
|
