BackDoor.Haxdoor.321

Virus description added: 2006-07-26

Virus type: Program of remote administration

Size: 59051 bytes

Affected OS: Win95/98/NT/2k/XP/2k3

Packed by: FSG

Technical information

When backdoor starts, it creates the following files:
%Windir%\System32\seppgs.dll, %Windir%\System32\zq.dll (39972 bytes, packed by UPX, are detected by Dr.Web antivirus as Backdoor.Haxdoor.320)
%Windir%\System32\twpkbd.sys, %Windir%\System32\zq.sys (21856 bytes, packed by UPolyX, are detected by Dr.Web antivirus as Backdoor.Haxdoor.320).

To provide autorun to its modules, backdoor creates the following sections and system registry keys:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\seppgm

Backdoor driver is installed as a service, which gives an opportunity to startup regardless of Windows reboot regime. For these the following keys are created in system registry:

HKLM\SYSTEM\ControlSetXXX\Control\SafeBoot\Minimal\seppgm.sys
HKLM\SYSTEM\ControlSetXXX\Control\SafeBoot\\Control\SafeBoot\Minimal\seppgm.sys
HKLM\SYSTEM\ControlSetXXX\\Control\SafeBoot\Network\seppgm.sys
HKLM\SYSTEM\ControlSetXXX\\Control\SafeBoot\Network\seppgm.sys

Service output names: "TCP x IP2 Kernel" и "TCP x IP2 Kernel32".

File seppgm.dll is injected into the memory of Explorer.exe process and into the memory of all started processes.

To bypass standard firewall Windows XP SP 2 the backdoor creates a key in registry:
HKLM\SYSTEM\ControlSetXXX\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Windir%\Explorer.EXE: "%Windir%\Explorer.EXE:*:Enabled:explorer"

Deletes the following subsections in system registry:
HKLM\SOFTWARE\Agnitum\Outpost Firewall
HKLM\SOFTWARE\Agnitum\Outpost Firewall\Paths

To hide itself in the system, backdoor intercepts the following core functions:
NtCreateProcess
NtCreateProcessEx
NtOpenProcess
NtOpenThread
NtQueryDirectoryFile
NtQuerySystemInformation

Blocks the attempt to connect with files which contain the following strings in domain name:
vp.ch
avp.com
avp.ru
awaps.net
customer.symantec.com
dispatch.mcafee.com
download.mcafee.com
downloads1.kaspersky-labs.com
downloads1.kaspersky-labs.com
downloads1.kaspersky-labs.com
downloads2.kaspersky-labs.com
downloads3.kaspersky-labs.com
downloads4.kaspersky-labs.com
downloads-us1.kaspersky-labs.com
downloads-us2.kaspersky-labs.com
downloads-us3.kaspersky-labs.com
engine.awaps.net
f-secure.com
ftp.avp.ch
ftp.downloads2.kaspersky-labs.com
ftp.f-secure.com
ftp.kasperskylab.ru
ftp.kaspersky.ru
d-ru-1f.kaspersky-labs.com
d-ru-2f.kaspersky-labs.com
d-eu-1f.kaspersky-labs.com
d-eu-2f.kaspersky-labs.com
d-us-1f.kaspersky-labs.com
ftp.sophos.com
ids.kaspersky-labs.com
kaspersky.com
kaspersky-labs.com
liveupdate.symantec.com
liveupdate.symantec.com
liveupdate.symantec.com
liveupdate.symantecliveupdate.com
liveupdate.symantecliveupdate.com
mast.mcafee.com
mcafee.com
my-etrust.com
networkassociates.com
phx.corporate-ir.net
rads.mcafee.com
securityresponse.symantec.com
service1.symantec.com
sophos.com
spd.atdmt.com
symantec.com
trendmicro.com
update.symantec.com
updates.symantec.com
updates1.kaspersky-labs.com
updates1.kaspersky-labs.com
updates2.kaspersky-labs.com
updates3.kaspersky-labs.com
updates3.kaspersky-labs.com
updates4.kaspersky-labs.com
updates5.kaspersky-labs.com
us.mcafee.com
virustotal.com

Finishes such processes:

zapro.exe
vsmon.exe
jamapp.exe
atrack.exe
iamapp.exe
FwAct.exe
mpfagent.exe
outpost.exe
zlclient.exe
mpftray.exe

Contains functions of password stealing for WebMoney system, ICQ-messenger Miranda and Mirabilis ICQ.

Also backdoor has a function of system and accounts parameters stealing for further delivering to malefactor.

TECHNOLOGIES

TERMINOLOGIE

COURS ET EDU

MYTHES

Recommandations pour le traitement

Free trial