Backdoor:Win32/Haxdoor.CG

Backdoor:Win32/Haxdoor.CG is an NT-based driver component of Backdoor:Win32/Haxdoor.CN, a rootkit-enabled trojan that gathers private user data and sends it to remote attackers. Upon infection, Backdoor:Win32/Haxdoor.CN creates the following files in the Windows <system> folder:

 

 

Note: The default path of the <system> folder under Windows XP is C:\Windows\System32. Under Windows NT/2000, the default <system> folder path is C:\Winnt\System32, and under Windows 95/98/ME the default path is C:\Windows\System.

 

Backdoor:Win32/Haxdoor.CN sets the date/time stamp of the dropped files to match the date/time stamp of the Windows system file kernel32.dll. To the casual observer, this may make the trojan's files appear to be related to the operating system.

 

Backdoor:Win/32/Haxdoor.CN:

Adds subkey: drct16
To: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
With values:

DllName = drct16.dll
Startup = MeMessager
Impersonate = 1
Asynchronous = 1
MaxWait = 1

Service Name = vdmt16
Service Display Name = VIRTwin
Start Mode = SERVICE_SYSTEM_START

Service Name = winlow
Service Display Name = SCNDmem
Start Mode = SERVICE_AUTO_START

 

Note: The files vdmt16.sys and winlow.sys, and their associated backups, hz.sys and wz.sys, are detected by Microsoft as Backdoor:Win32/Haxdoor.CG.

 

The file vdmt16.sys serves as a rootkit, hiding the mszx23.exe process, hooking into newly created processes, and monitoring for any processes related to certain DLL files associated with known firewalls. If found, the firewall process is terminated. The rootkit component of Backdoor:Win32/Haxdoor.CN hides all files named mszx23.exe, vdmt16.sys, winlow.sys, cz.dll, hz.sys, wz.sys, drct16.dll, redir.a3d, fltr.a3d, i.a3d, tnfl.a3d, p2.ini and klogini.dll and blocks attempts to terminate processes associated with the trojan. Backdoor:Win32/Haxdoor.CN also includes functionality to enable/disable the keyboard and floppy disk driver, clear CMOS settings, and destroy data on the disk by direct I/O operation.

 

The file winlow.sys acts as a resuscitator, resetting all values in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\drct16 to those loaded by the trojan during installation.

 

Additionally, winlow.sys repeatedly tries to open drct16.dll, vdmt16.sys and winlow.sys. If this attempt fails, winlow.sys will restore the original files from the backup files: cz.dll, hz.sys and wz.sys and lock the files to prevent further deletions or modifications.

 

Backdoor:Win32/Haxdoor.CN disables kernel memory write protection by making the following registry modification:

 

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management\

EnforceWriteProtection = 0

 

Backdoor:Win32/Haxdoor.CN installs as a service by adding itself to the registry as follows:

Adds subkey: \MPRServices\TestService
To: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\
With values:

DllName = drct16.dll
EntryPoint = MeMessager
StackSize = 0

 

When the file drct16.dll is run, it takes the following actions:

Creates registry value: secboot
with data: <system>\mszx23.exe !!
in registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

 

Backdoor:Win32/Haxdoor.CN patches loaded images of WMCLIENT.DLL in order to intercept data related to WebMoney transactions. Additionally, the trojan patches loaded images of WININET.DLL in order to intercept HTTP requests and hooks into INETMIB1.DLL and IPHLPAPI.DLL to hide specified ports related to the trojan's backdoor.

 

Every 50 seconds, Backdoor:Win32/Haxdoor.CN searches for and terminates processes associated with several known firewalls. In addition, the trojan installs a global keyboard hook (klogini.dll) which tries to log all keystrokes (klo5.sys) associated with pre-defined processes specified in the trojan's configuration files (*.a3d files). The trojan creates a backdoor on compromised systems by binding a port based on information contained in the p2.ini file, listening on that port for a specific password associated with the backdoor component and executing commands from attackers who are successfully able to login through the backdoor.

 

Functional capabilities of the backdoor include the following:

Create a thread to connect back to a client
Hide a process
Change the backdoor's password
Change process priority
Kill process
Find file
Set windows text
Set cursor's position
Disconnect
Enumerate processes
Download file from URL
Transfer file
Execute file
Start key logger
Stop key logger
Read configuration
Change configuration
Delete directory
Create directory
Send a file through email
Get data in clipboard
Set data in clipboard
Delete file
Move file
Create registry key
Delete registry key
Set registry value
Enable or disable keyboard by I/O command
Clear CMOS password
Enable or disable floppy disk by I/O command
Draw something on screen by Direct Draw
Get current user information (user name, machine name, Registered Organization, windows directory path, WinRar or 7-zip path)
Get/set local time
Change mouse double-click time
Swap mouse button
Show picture on desktop
Play sound
Open/close CD-ROM door
Enumerate all windows
Log off/restart/shutdown Windows
Enumerate all TCP/UDP ports

 

Backdoor:Win32/Haxdoor.CN enumerates all subkeys under HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Account Manager\Accounts and uses the storage provider interface to get all stored accounts and passwords for the currently logged on user. In addition to gathering Internet account user names and passwords, Backdoor:Win32/Haxdoor.CN captures user names, passwords, and account information from a wide range of chat programs, cached and saved browser transactions, and operating system accounts. Stolen data may include credit card numbers, bank logon credentials, and other user names and passwords. The logged information, including keystrokes captured, may be sent to the attacker via email or may be transmitted via the backdoor.