Backdoor:Win32/Haxdoor

Installation

• Clear CMOS settings.
• Destroy disk data.
• Enable or disable the keyboard or floppy drive.
• Act as a rootkit. The rootkit intercepts calls to certain Windows API functions. Win32/Haxdoor uses this method to hide files and ports, hide and prevent termination of Win32/Haxdoor processes, disable firewalls and antivirus software, steal user data (such as data exchanged with certain Web sites), and redirect certain URL-connection user requests. 

Payload

• Reset registry entries, if necessary, to match registry modifications that Win32/Haxdoor makes during installation. The Win32/Haxdoor DLL monitors the trojan registry entries and calls this system driver to restore modified or deleted entries as necessary. 
• Restore Win32/Haxdoor files, if necessary. This system driver may attempt to open files that Win32/Haxdoor drops during installation. If a file-open operation fails, the driver can restore the file using a backup file dropped by Win32/Haxdoor during installation.
• Lock files that Win32/Haxdoor drops at installation so that the files cannot be modified or deleted.

• Inject a remote thread into the explorer.exe process so that the DLL code is loaded into the explorer.exe process address space.
• Call a Win32/Haxdoor system driver to lock the DLLs and system drivers dropped by Win32/Haxdoor so that the files cannot be modified or deleted.
• Monitor the following resources and call a Win32/Haxdoor system driver to restore them if they are modified or deleted:
• DLLs and system driver (.sys) files dropped by Win32/Haxdoor
• Registry entries created by Win32/Haxdoor
• Gather private user data from the infected computer and save it to a file in the Windows system folder. The private data may include information such as the following: host IP address, operating system, user names and passwords of the current user (such as for ICQ and WebMoney Web sites), and the number of Internet Explorer visits to Web sites such as www.ebay.com, www.paypal.com and www.e-gold.com. On a host computer running Windows 95, Windows 98, or Windows ME, the trojan may also gather DNS information and remote-access service (RAS) phone numbers.
• Check for the presence of WinRAR and 7-zip software. The trojan may use this software to archive data to be sent to the attacker through a backdoor that Win32/Haxdoor creates.
• Try to disable certain firewalls and antivirus software.
• Try to inject a remote thread in the following processes: icq.exe, iexplore.exe, mozilla.exe, msn.exe, myie.exe, opera.exe, outlook.exe, thebat.exe. If this operation succeeds, the injected thread may bypass local software firewalls in order to send collected information to a specified e-mail address.
• Log keystrokes and send the keystrokes to an e-mail address. The trojan may create several log files in the Windows system folder to store the logged keystrokes as well as user names and passwords that it collects.
• Drop configuration files in the Windows system folder.
• Open multiple backdoors on specified or randomly-selected ports. Win32/Haxdoor can use its rootkit to hide these backdoors. An attacker may use a Win32/Haxdoor backdoor to perform actions on the host computer such as the following:
• Obtain the host computer name and user name.
• Start and stop a keylogger.
• Connect to a specified IP address to receive attacker commands and send private user data to the attacker.
• Create and delete folders; find, move, create, delete, and execute files.
• Hide, terminate, and change priorities of processes.
• Transfer files, such as downloading files from URLs and sending files through e-mail.
• Modify the registry; read and change various configurations.
• Swap mouse buttons, change the mouse double-click interval, enable or disable the keyboard or floppy disk drive, open or close a CD-ROM drive, play sounds, move the cursor, cause text to appear in windows, draw and display graphics on the desktop, read from and write to the Windows clipboard.
• Monitor all TCP and UDP ports.
• Change the backdoor password, clear CMOS settings, get or set the local system time.
• Log off the current user; restart or shut down Windows.

Additional Information