Home / malware

PDF

Backdoor:Win32/Havex.B

First posted on 01 July 2014.
Source: Microsoft

Aliases :

There are no other names known for Backdoor:Win32/Havex.B.

Explanation :

Threat behavior

Installation

Backdoor:Win32/Havex.B copies itself to \svcprocess044.dll. The malware changes the following registry entries so that it runs each time you start your PC:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "svcprocess"
With data: "rundll32 "c:\windows\system32\svcprocess044.dll", rundllentry" The malware creates the following files on your PC:

• c:\documents and settings\administrator\local settings\temp\qln.dbx

The malware uses code injection to make it harder to detect and remove. It can inject code into running processes, including the following:

• explorer.exe

Payload

Allows backdoor access and control

Backdoor:Win32/Havex.B gives a hacker access and control of your PC. They can then perform a number of different actions, including:

• Downloading and running files
• Uploading files
• Spreading malware to other PCs
• Logging your keystrokes or stealing your sensitive data
• Modifying your system settings
• Running or stopping applications
• Deleting files

This malware description was produced and published using automated analysis of file SHA1 9f19c2ffd46603aac7e82a6c6f86d4fcc56b1d2d.Symptoms

System changes

The following could indicate that you have this threat on your PC:

• You have these files:
  
  \svcprocess044.dll
  c:\documents and settings\administrator\local settings\temp\qln.dbx

• You see these entries or keys in your registry:
  
  Sets value: "svcprocess"
  With data: "rundll32 "c:\windows\system32\svcprocess044.dll", rundllentry"
  In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Last update 01 July 2014

 

TOP