Home / malware Backdoor.Haxdoor.G
First posted on 21 November 2011.
Source: BitDefenderAliases :
Backdoor.Haxdoor.G is also known as Backdoor.Win32.Haxdoor.G, BDS/Haxdoor.G, W32/Haxdoor.G!tr.bdr,Win32/Haxdoor.G.
Explanation :
When first executed, the backdoor will drop the files status.dll, tage32.sys, snowx.ini and mprexe.exe (wich is a copy of itself) in the %SystemRoot%\SYSTEM32 folder, and add the registry entry
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifystatus
with the values :
DllName = "status.dll" Startup = "CorpseProc" Impersonate = 1 Asynchronous = 1 MaxWait = 1in order to survive reboot.
It will register tage32.sys as a service, under the name "NGate service"
Next, it will load the dropped dynamic link library status.dll. This library represents the main component and implements the backdoor functionality. When loaded, status.dll will perform the following :
It will try to kill the following processes :
zapro.exe vsmon.exe jamapp.exe atrack.exe iamapp.exe FwAct.exe Pavproxy.exe outpost.exe Will start to capture all keystrokes and save them to the file
%SystemRoot%\SYSTEM32klog.sys
Will start a backdoor on default port 16661 (if not configured differently), listening for connections from the owner.
Will harvest personal information (login names and passwords) from the cached passwords (using WNetEnumCachedPasswords function) and will send them to the mail address corpse@mailserver.ru.
When the backdoor recieves the 'kill' command from the owner, it will overwrite the files c:
tdetect.com and %SystemRoot%\SYSTEM32win.com with a trojanized version that will destroy the information from the harddisk. BitDefender detects this threat as Trojan.HDDKill.
The driver (tage32.sys), loaded as a service, is used by the backdoor to perform the following tasks :
kill the processes listed above hide the backdoor process (providing rootkit functionality for the backdoor), by hooking the NtQuerySystemInformation system service
obtain access to and read the Security Account Manager (SAM) database - the place where Windows stores the user's passwordsLast update 21 November 2011
