Home / malware Backdoor:W32/Haxdoor.KG
First posted on 15 June 2010.
Source: SecurityHomeAliases :
There are no other names known for Backdoor:W32/Haxdoor.KG.
Explanation :
A remote administration utility which bypasses normal security mechanisms to secretly control a program, computer or network.
Additional DetailsHaxdoor.KG is a powerful backdoor with rootkit capabilities. It can hide its presence, processes and files, on an infected system so that it can be only detected using either an anti-virus application with kernel drivers or a rootkit detector. (See F-Secure BlackLight.)
This backdoor has spying capabilities and it has lately been used to steal logon credentials and passwords.
Installation
When Haxdoor.KG is executed, it drops the following files into the Windows System32 folder:
€ qo.dll € qo.sys € ycsvgd.sys € ydsvgd.dll € ydsvgd.sys
Haxdoor.KG injects itself to the following applications:
€ explorer.exe € icq.exe € iexplore.exe € mozilla.exe € msn.exe € opera.exe € outlook.exe € thebat.exe
In addition to this, Haxdoor.KG will block the connection of the following security-related websites.
€ avp.ch € avp.com € avp.ru € awaps.net € customer.symantec.com € dispatch.mcafee.com € download.mcafee.com € engine.awaps.net € f-secure.com € ftp.kaspersky.ru € ftp.sophos.com € kaspersky.com € kaspersky.ru € kaspersky-labs.com € liveupdate € liveupdate.symantec.com € mast.mcafee.com € mcafee.com.my-etrust.com € networkassociates.com € phx.corporate-ir.net € rads.mcafee.com € securityresponse.symantec.com € service1.symantec.com € sophos.com. € spd.atdmt.com € symantec.com € symantecliveupdate.com € trendmicro.com € u2.eset.com € update.symantec.com € updates.drweb-online.com € updates.symantec.com € us.mcafee.com € virustotal.com
Haxdoor.KG also terminates the following security-related processes:
€ atrack.exe € FwAct.exe € iamapp.exe € jamapp.exe € mpfagent.exe € mpftray.exe € outpost.exe € vsmon.exe € zapro.exe € zlclient.exe
It acquires passwords stored in Protected Storage. This is done using a single API call. Below are passwords stored in Protected Storage:
€ Deleted Outlook account passwords € Internet Explorer auto-complete Fields in WIn 9x for dialup cached passwords € Internet Explorer auto-complete passwords € Internet Explorer password-protected sites passwords € MSN Explorer signup passwords € Outlook passwords
It also steals the following Outlook Express logon credentials:
€ IMAP password € IMAP server name € IMAP user name € POP3 password € POP3 server name € POP3 user name
Activity
Haxdoor.KG rips logon credentials used for the The Bat! e-mail client. It will query the install directory of The Bat! in the registry. When the directory is found, it will search for the file account.cfg on the said install directory of the The Bat!. This is a very old known issue in The Bat! e-mail client, where logon credentials are saved as plain text in the account.cfg file.
This backdoor can also steal cached, Miranda ICQ, Mirabilis ICQ, Webmoney and MDialer passwords and as well as MDialer and RAS phone numbers and other info related to RAS (username, password, domain, DNS settings).
Like other Haxdoor Variants, this backdoor can steal logon credentials from the following online payment systems:
€ e-bay € e-gold € paypal
The backdoor can also connect to a website with a specially constructed URL to notify a hacker. All of the passwords stolen will be sent to:
€ http://grci.info
- through an HTTP POST request.
Below are the log files of data packets used and saved in Windows System folder.
€ gsgva.bin € kgctini.dat € mnsvga.bin € tnstt.exd € ttsvga.dat € wmx.exd
The passwords collected will be encrypted using simple XOR routine and will be saved to the following file on Windows System directory:
€ lps.dat
Haxdoor.KG opens TCP port 16661 so that a remote hacker can connect to the compromised machine.
Before the remote hacker can perform any malicious actions on the compromised machine, he should first give a password. When the correct password is entered, he will receive the text string: "A-311 Death welcome".
Below are the commands that a remote hacker can perform:
€ Add/Delete registry keys/values € Close the connection € Copy/Delete clipboard data € Create a snapshot of the desktop € Create directory € Create a file € Delete a file € Disable the floppy disk drive € Execute a file € Find file € Get local drive info € Get/Set machine's time € Get/Set mouse double-click interval time € Get/Set mouse pointer location € Hide processes € Hide/Disable/Enable the system clock, Start button, system tray and the Desktop € Key-logging € Kill process € Kill processes € Logs off the infected user € Modify Internet Explorer's settings (e.g. Default Search Page, Start Page, Home Page) € Move a file € Open/Close the CD-Rom tray € Play a sound file € Remove the backdoor service € Send e-mail € Swap the mouse buttons € Update the malware from the hacker's specified site
Registry
During installation, it creates the following registry key for its auto-start mechanism:
€ [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ydsvgd]
Haxdoor.KG creates the following registry keys so that even during a Safe Mode boot the malware will run:
€ [HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ycsvgd.sys] € [HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ycsvgd.sys]
The HKLM modification allows the backdoor to start when a user logs on. It also sets to '0' the value EnforceWriteProtection under the key:
€ [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management]
This will disable the kernel's memory write protection for the computer.
This malware also disables Firewall services by deleting the following registry values:
€ [HKLM\SYSTEM\CurrentControlSet\Control\Services\SharedAccess]
"Start" € [HKLM\SYSTEM\CurrentControlSet\Control\Services\wscsvc]
"Start" € [HKLM\SYSTEM\CurrentControlSet\Control\Services\VFILT]
"Start"
Note: wscsvc and ShareAccess is for Windows Firewall service and VFILT is for Outpost Firewall
After this, it will start the following services that will also be automatically started every time that the system is booted:
€ NDI OSI Service € NDI OSI32 Service DetectionF-Secure Anti-Virus detects this malware with the following updates:
[FSAV_Database_Version]
Version = 2006-08-16_01.Last update 15 June 2010