Haxdoor.KG is a powerful backdoor with rootkit capabilities. It can hide its presence, processes and files, on an infected system so that it can be only detected using either an anti-virus application with kernel drivers or a rootkit detector.
This backdoor has spying capabilities and it has lately been used to steal logon credentials and passwords.
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First check if your F-Secure security program is using the latest updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note: You need administrative rights to change the settings.
When Haxdoor.KG is executed, it drops the following files into the Windows System32 folder:
During the execution, it creates the following registry key for its auto-start mechanism:
Haxdoor.KG creates the following registry keys so that even during a Safe Mode boot the malware will run:
The HKLM modification allows the backdoor to start when a user logs on. It also sets to '0' the value EnforceWriteProtection under the key:
This will disable the kernel's memory write protection for the computer.
This malware also disables Firewall services by deleting the following registry values:
Note: wscsvc and ShareAccess is for Windows Firewall service and VFILT is for Outpost Firewall
After this, it will start the following services that will also be automatically started every time that the system is booted:
Haxdoor.KG injects itself to the following applications:
In addition to this, Haxdoor.KG will block the connection of the following security-related websites.
Haxdoor.KG also terminates the following security-related processes:
It acquires passwords stored in Protected Storage. This is done using a single API call. Below are passwords stored in Protected Storage:
It also steals the following Outlook Express logon credentials:
Haxdoor.KG rips logon credentials used for the The Bat! email client. It will query the install directory of The Bat! in the registry. When the directory is found, it will search for the file account.cfg on the said install directory of the The Bat!. This is a very old known issue in The Bat! email client, where logon credentials are saved as plain text in the account.cfg file.
This backdoor can also steal cached, Miranda ICQ, Mirabilis ICQ, Webmoney and MDialer passwords and as well as MDialer and RAS phone numbers and other info related to RAS (username, password, domain, DNS settings).
Like other Haxdoor Variants, this backdoor can steal logon credentials from the following online payment systems:
The backdoor can also connect to a website with a specially constructed URL to notify a hacker. All of the passwords stolen will be sent to:
- through an HTTP POST request.
Below are the log files of data packets used and saved in Windows System folder.
The passwords collected will be encrypted using simple XOR routine and will be saved to the following file on Windows System directory:
Haxdoor.KG opens TCP port 16661 so that a remote hacker can connect to the compromised machine.
Before the remote hacker can perform any malicious actions on the compromised machine, he should first give a password. When the correct password is entered, he will receive the text string: "A-311 Death welcome".
Below are the commands that a remote hacker can perform: