Home / malwarePDF  

Haxdoor.M


First posted on 13 September 2006.
Source: SecurityHome

Aliases :

Haxdoor.M is also known as Haxdoor-HM, Backdoor.Win32.Haxdoor.hm, Haxdoor-M.

Explanation :

Haxdoor is a powerful backdoor with rootkit capabilities. It can hide its presence (processes and files) on an infected system so that it can be only detected using either anti-virus with kernel drivers or a rootkit detector.

This backdoor has spying capabilities and it has lately been used to steal bank-related information (logon and passwords for online bank accounts) and other information.

When the backdoor is executed, it drops the following files in the Windows System32 folder:

pptp16.dll
pptp24.sys
qz.dll
qz.sys

During the execution, it also creates the following registry keys:
HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifypptp16
SYSTEMCurrentControlSetControlSafeBootMinimalpptp16.sys
SYSTEMCurrentControlSetControlSafeBootMinimalpptp24.sys
SYSTEMCurrentControlSetControlSafeBootNetworkpptp16.sys
SYSTEMCurrentControlSetControlSafeBootNetworkpptp24.sys

The HKLM modification allows the backdoor to start when a user logs on. It also sets to '0' the value EnforceWriteProtection under the key:
HKEY_LOCAL_MACHINESystemCurrentControlSetControlSession ManagerMemory Management

thus disabling memory write protection for the computer.

After this, it will start the following services that will also be automatically started every time that the system is booted:
MMX virtualization service
MMX2 virtualization service

Haxdoor is quite powerful and it is especially used to commit acts of economic fraud/theft, most of which are particularly targeted at Internet Explorer users. It targets several worldwide banks and financial services, both stealing account information and performing pharming.
The following list is a sample of the banks included:
Alliance-leicester
Barclays
Cajamadrid
Deutsche-bank
E-Bullion
Firepay
Halifax
Lloyds
Mastercard
Paypal
Wellsfargo
Westernunion
Yambo Financials

The backdoor also features a generic mechanism for stealing account information.

In addition to this, Haxdoor.M will redirect traffic from several security websites to a Microsoft website. The list of redirected URLs:
avp.ch
avp.com
avp.ru
awaps.net
customer.symantec.com
d-eu-1f.kaspersky-labs.com
d-eu-2f.kaspersky-labs.com
dispatch.mcafee.com
download.mcafee.com
downloads1.kaspersky-labs.com
downloads1.kaspersky-labs.com
downloads1.kaspersky-labs.com
downloads2.kaspersky-labs.com
downloads3.kaspersky-labs.com
downloads4.kaspersky-labs.com
downloads-us1.kaspersky-labs.com
downloads-us2.kaspersky-labs.com
downloads-us3.kaspersky-labs.com
d-ru-1f.kaspersky-labs.com
d-ru-2f.kaspersky-labs.com
d-us-1f.kaspersky-labs.com
engine.awaps.net
f-secure.com
ftp.avp.ch
ftp.downloads2.kaspersky-labs.com
ftp.f-secure.com
ftp.kaspersky.ru
ftp.kasperskylab.ru
ftp.sophos.com
ids.kaspersky-labs.com
kaspersky.com
kaspersky-labs.com
liveupdate.symantec.com
liveupdate.symantec.com
liveupdate.symantec.com
liveupdate.symantecliveupdate.com
liveupdate.symantecliveupdate.com
mast.mcafee.com
mcafee.com
my-etrust.com
networkassociates.com
phx.corporate-ir.net
rads.mcafee.com
securityresponse.symantec.com
service1.symantec.com
sophos.com
spd.atdmt.com
symantec.com
trendmicro.com
update.symantec.com
updates.symantec.com
updates1.kaspersky-labs.com
updates1.kaspersky-labs.com
updates2.kaspersky-labs.com
updates3.kaspersky-labs.com
updates3.kaspersky-labs.com
updates4.kaspersky-labs.com
updates5.kaspersky-labs.com
us.mcafee.com
virustotal.com

Additionally the backdoor can steal the following info:
IMAP password
IMAP server name
IMAP user name
POP3 password
POP3 server name
POP3 user name

Haxdoor.M also includes older functionality included in other variants.

Last update 13 September 2006

 

TOP