My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Backdoor.Haxdoor.G

VERY LOW
MEDIUM
23,888 bytes (packed)
(Backdoor.Win32.Haxdoor.G, BDS/Haxdoor.G, W32/Haxdoor.G!tr.bdr,Win32/Haxdoor.G)

Symptoms

1) Presence of the following files :
  • %SystemRoot%\\SYSTEM32\\status.dll , of size 19,968 bytes
  • %SystemRoot%\\SYSTEM32\\tage32.sys , of size 13,024 bytes
  • %SystemRoot%\\SYSTEM32\\snowx.ini , of size 320 bytes
  • %SystemRoot%\\SYSTEM32\\mprexe.exe , of size 23,888 bytes
2) Presence of the following registry entries :
  - for NT based operating systems (NT 4.0, 2000, XP, 2003) :
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\status\ with the following values :
    • DllName = "status.dll"
    • Startup = "CorpseProc"
    • Impersonate = 1
    • Asynchronous = 1
    • MaxWait = 1
  - for  Win 95, 98, ME :
  • HKML\System\CurrentControlSet\Control\MPRServices\TestService with the following values :
    • DLLName = "status.dll"
    • EntryPoint = "CorpseProc"
    • StackSize = 0x1000
3) Presence of a suspect listening TCP port (16661 by default, if not configured differently).

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Dan Lutas, virus researcher

Technical Description:

    When first executed, the backdoor will drop the files status.dll, tage32.sys, snowx.ini and mprexe.exe (wich is a copy of itself) in the %SystemRoot%\\SYSTEM32 folder, and add the registry entry
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\status\
with the values :
  • DllName = "status.dll"
  • Startup = "CorpseProc"
  • Impersonate = 1
  • Asynchronous = 1
  • MaxWait = 1
in order to survive reboot.

    It will register tage32.sys as a service, under the name "NGate service"
    Next, it will load the dropped dynamic link library status.dll. This library represents the main component and implements the backdoor functionality. When loaded, status.dll will perform the following :

    It will try to kill the following processes :
  • zapro.exe
  • vsmon.exe
  • jamapp.exe
  • atrack.exe
  • iamapp.exe
  • FwAct.exe
  • Pavproxy.exe
  • outpost.exe
    Will start to capture all keystrokes and save them to the file
        %SystemRoot%\\SYSTEM32\klog.sys

    Will start a backdoor on default port 16661 (if not configured differently), listening for connections from the owner.

    Will harvest  personal information  (login names and passwords) from the cached passwords (using WNetEnumCachedPasswords function) and will send them to the mail address corpse@mailserver.ru.

    When the backdoor recieves the 'kill' command from the owner, it will overwrite the files c:\ntdetect.com and %SystemRoot%\\SYSTEM32\win.com with a trojanized version  that will destroy the information from the harddisk. BitDefender detects this threat as Trojan.HDDKill.

    The driver (tage32.sys), loaded as a service, is used by the backdoor to perform the following tasks :
  • kill the processes listed above
  • hide the backdoor process (providing rootkit functionality for the backdoor), by hooking the NtQuerySystemInformation system service
  • obtain access to and read the Security Account Manager (SAM) database - the place where Windows stores the user's passwords