Haxdoor.KG

Classification

Category :

Trojan

Type :

Backdoor

Aliases :

Haxdoor.KG, Haxdoor.KG

Summary

Haxdoor.KG is a powerful backdoor with rootkit capabilities. It can hide its presence, processes and files, on an infected system so that it can be only detected using either an anti-virus application with kernel drivers or a rootkit detector.

This backdoor has spying capabilities and it has lately been used to steal logon credentials and passwords.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

When Haxdoor.KG is executed, it drops the following files into the Windows System32 folder:

  • qo.dll
  • qo.sys
  • ycsvgd.sys
  • ydsvgd.dll
  • ydsvgd.sys

During the execution, it creates the following registry key for its auto-start mechanism:

  • [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ydsvgd]

Haxdoor.KG creates the following registry keys so that even during a Safe Mode boot the malware will run:

  • [HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ycsvgd.sys]
  • [HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ycsvgd.sys]

The HKLM modification allows the backdoor to start when a user logs on. It also sets to '0' the value EnforceWriteProtection under the key:

  • [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management]

This will disable the kernel's memory write protection for the computer.

This malware also disables Firewall services by deleting the following registry values:

  • [HKLM\SYSTEM\CurrentControlSet\Control\Services\SharedAccess]"Start"
  • [HKLM\SYSTEM\CurrentControlSet\Control\Services\wscsvc]"Start"
  • [HKLM\SYSTEM\CurrentControlSet\Control\Services\VFILT]"Start"

Note: wscsvc and ShareAccess is for Windows Firewall service and VFILT is for Outpost Firewall

After this, it will start the following services that will also be automatically started every time that the system is booted:

  • NDI OSI Service
  • NDI OSI32 Service

Haxdoor.KG injects itself to the following applications:

  • explorer.exe
  • icq.exe
  • iexplore.exe
  • mozilla.exe
  • msn.exe
  • opera.exe
  • outlook.exe
  • thebat.exe

In addition to this, Haxdoor.KG will block the connection of the following security-related websites.

  • avp.ch
  • avp.com
  • avp.ru
  • awaps.net
  • customer.symantec.com
  • dispatch.mcafee.com
  • download.mcafee.com
  • engine.awaps.net
  • f-secure.com
  • ftp.kaspersky.ru
  • ftp.sophos.com
  • kaspersky.com
  • kaspersky.ru
  • kaspersky-labs.com
  • liveupdate
  • liveupdate.symantec.com
  • mast.mcafee.com
  • mcafee.com.my-etrust.com
  • networkassociates.com
  • phx.corporate-ir.net
  • rads.mcafee.com
  • securityresponse.symantec.com
  • service1.symantec.com
  • sophos.com.
  • spd.atdmt.com
  • symantec.com
  • symantecliveupdate.com
  • trendmicro.com
  • u2.eset.com
  • update.symantec.com
  • updates.drweb-online.com
  • updates.symantec.com
  • us.mcafee.com
  • virustotal.com

Haxdoor.KG also terminates the following security-related processes:

  • atrack.exe
  • FwAct.exe
  • iamapp.exe
  • jamapp.exe
  • mpfagent.exe
  • mpftray.exe
  • outpost.exe
  • vsmon.exe
  • zapro.exe
  • zlclient.exe

It acquires passwords stored in Protected Storage. This is done using a single API call. Below are passwords stored in Protected Storage:

  • Deleted Outlook account passwords
  • Internet Explorer auto-complete Fields in WIn 9x for dialup cached passwords
  • Internet Explorer auto-complete passwords
  • Internet Explorer password-protected sites passwords
  • MSN Explorer signup passwords
  • Outlook passwords

It also steals the following Outlook Express logon credentials:

  • IMAP password
  • IMAP server name
  • IMAP user name
  • POP3 password
  • POP3 server name
  • POP3 user name

Haxdoor.KG rips logon credentials used for the The Bat! email client. It will query the install directory of The Bat! in the registry. When the directory is found, it will search for the file account.cfg on the said install directory of the The Bat!. This is a very old known issue in The Bat! email client, where logon credentials are saved as plain text in the account.cfg file.

This backdoor can also steal cached, Miranda ICQ, Mirabilis ICQ, Webmoney and MDialer passwords and as well as MDialer and RAS phone numbers and other info related to RAS (username, password, domain, DNS settings).

Like other Haxdoor Variants, this backdoor can steal logon credentials from the following online payment systems:

  • e-bay
  • e-gold
  • paypal

The backdoor can also connect to a website with a specially constructed URL to notify a hacker. All of the passwords stolen will be sent to:

  • http://grci.info

- through an HTTP POST request.

Below are the log files of data packets used and saved in Windows System folder.

  • gsgva.bin
  • kgctini.dat
  • mnsvga.bin
  • tnstt.exd
  • ttsvga.dat
  • wmx.exd

The passwords collected will be encrypted using simple XOR routine and will be saved to the following file on Windows System directory:

  • lps.dat

Haxdoor.KG opens TCP port 16661 so that a remote hacker can connect to the compromised machine.

Before the remote hacker can perform any malicious actions on the compromised machine, he should first give a password. When the correct password is entered, he will receive the text string: "A-311 Death welcome".

Below are the commands that a remote hacker can perform:

  • Add/Delete registry keys/values
  • Close the connection
  • Copy/Delete clipboard data
  • Create a snapshot of the desktop
  • Create directory
  • Create a file
  • Delete a file
  • Disable the floppy disk drive
  • Execute a file
  • Find file
  • Get local drive info
  • Get/Set machine's time
  • Get/Set mouse double-click interval time
  • Get/Set mouse pointer location
  • Hide processes
  • Hide/Disable/Enable the system clock, Start button, system tray and the Desktop
  • Key-logging
  • Kill process
  • Kill processes
  • Logs off the infected user
  • Modify Internet Explorer's settings (e.g. Default Search Page, Start Page, Home Page)
  • Move a file
  • Open/Close the CD-Rom tray
  • Play a sound file
  • Remove the backdoor service
  • Send email
  • Swap the mouse buttons
  • Update the malware from the hacker's specified site