high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Included in our products from | November 2006 (4.11) |
| Protection available since | 6 April 2005 09:40:00 (GMT) |
| Last updated | 12 October 2006 13:10:43 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
The name Troj/Haxdor-Gen is used where a file belongs to a particular family of Trojans, but the variant is not separately identified. Sophos's proactive protection technology will identify such files as a -Gen variant.
- Ensure that you are using the most recent IDE files, as more precise detection could now be available. If necessary
- update with the latest IDE files and
- repeat the scan.
- Please send us a sample to assist in improving our technology.
- Use the instructions for removing generically detected files to delete the file from your computer.
- If you require further assistance with disinfection, contact support.
More Information
Troj/Haxdor-Gen is a family of backdoor Trojans that provide unauthorised access to an infected computer. Troj/Haxdor-Gen is a family of backdoor Trojans that provide unauthorised access to an infected computer.
Some members of Troj/Haxdor-Gen attempt to copy themselves to the Windows system folder with the filename W32_SS.EXE or VTD_16.EXE and may set the following registry entries so as to run themselves on system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Some members of Troj/Haxdor-Gen attempt to drop some of the following files in the Windows system folder:
DEBUG.DLL
DRAW32.DLL
C3.DLL
CM.DLL
SDMAPI.SYS
BOOT32.SYS
VDNT32.SYS
MEMLOW.SYS
C3.SYS
C4.SYS
HM.SYS
WD.SYS
Troj/Haxdor-Gen may drop further files for keystroke logging or to direct how the Trojan will behave with filenames including the following:
P2.INI
KLOG.SYS
KLO5.SYS
KLIF.SYS
KLPF.SYS
KLOGINI.DLL
IN.A3D
I.A3D
PS.A3D
ERROR.A3D
Some members of Troj/Haxdor-Gen attempt to disable certain anti-virus and security programs and may attempt to prevent themselves and their dropped components from being deleted.
Troj/Haxdor-Gen may also attempt to create two services in order to run two of the dropped files on system startup. One service typically has a Service Name of SDMAPI or VDNT32, a Display Name of KESDM or MEMDRV and runs SDMAPI.SYS or VDNT32.SYS. The other service typically has a Service Name of BOOT32 or MEMLOW, a Display Name of KEBOOT or LMMNGR and runs BOOT32.SYS or MEMLOW.SYS
Some members of Troj/Haxdor-Gen may drop a file to overwrite WIN.COM or NTDETECT.COM which will overwrite all sectors of all available hard disks. This file may be dropped after a specified date if the P2.INI file is so configured, or if the appropriate command is received by the backdoor Trojan.
Some members of Troj/Haxdor-Gen provide a large degree of stealthing to prevent the detection and removal of its files, registry entries and services, as well as providing the means to restore them if they are removed.
|
