Troj/Haxdoor-U

Category: Viruses and Spyware
Type: Trojan
Prevalence: No Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Troj/Haxdoor-U is a backdoor Trojan that provides unauthorised access to an
infected computer.

Troj/Haxdoor-U attempts to copy itself to the Windows system folder with the
filename W32_SS.EXE and sets the following registry entry so as to run itself
on system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\secboot

Troj/Haxdoor-U attempts to drop the following files in the Windows system
folder, each of which is also detected as Troj/Haxdoor-U:

BOOT32.SYS
C3.DLL
C3.SYS
C4.SYS
DEBUG.DLL
SDMAPI.SYS

Troj/Haxdoor-U also attempts to create the following log files:

P2.INI
KLOG.SYS
IN.A3D
PS.A3D

Troj/Haxdoor-U attempts to disable certain antivirus and security programs and
may attempt to prevent itself and its dropped components from being deleted.

Troj/Haxdoor-U sets the following registry entries:

HKLM\SYSTEM\RADMIN\2.0\Parametrs\DisableTrayIcon
HKLM\SYSTEM\CurrentControlSet\Control\Impersonate
HKLM\System\CurrentControlSet\Control\Session Management\EnforceWriteProtection

Troj/Haxdoor-U will try to set some of the following registry entries depending
on what operating system is being run:

HKLM\SYSTEM\CurrentControlSet\Control\MPRServices\TestServices\
DllName = debugg.dll

HKLM\SYSTEM\CurrentControlSet\Control\MPRServices\TestServices\
EntryPoint = MemManager

HKLM\SYSTEM\CurrentControlSet\Control\MPRServices\TestServices\
StackSize = 0

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
debugg\DllName = debugg.dll

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
debugg\Startup = MemManager

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
debugg\Impersonate = 1

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
debugg\Asynchronous = 1

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
debugg\MaxWait = 1

Troj/Haxdoor-U also attempts to create two services in order to run two of the
dropped files on system startup. One service has a Service Name of SDMAPI
and a Display Name of KESDM and runs SDMAPI.SYS. The other service has a Service Name of BOOT32 and a Display Name of KEBOOT and runs BOOT32.SYS.