Haxdoor is a large family of backdoor and rootkit combinations. This was first found as early as 2003, but is still being distributed at the time of writing.

The malware is created by a creation kit that is for sale on the Internet, and that allows attackers to easily make custom variants. Several hundred variants (at least) exist.

Typical Installation

The trojan is installed via malicious web pages or spammed out as attachments to email.  Once run, it usually copies several components to the %SYSTEM% folder and registers one of them as a service. It then modifies registry keys so that specified functions will be called in this service.

Example:

File system changes:

Creates file %TEMP%10320054.gif.
Creates file %SYSTEM%\dvb03a.dll.
Creates file %SYSTEM%\qo.dll.
Creates file %SYSTEM%\dvb06a.sys.
Creates file %SYSTEM%\qo.sys.
Creates file%SYSTEM%\dvb03a.sys.
Deletes file lps.dat.

Registry changes:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dvb03a".
DllName=dvb03a.dll
Startup=DVBz637890

HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dvb06a.sys  ""=Driver
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dvb06a.sys". ""=Driver
HKLM\System\CurrentControlSet\Services\dvb06a
ImagePath=%SYSTEM%\dvb06a.sys
DisplayName=WDVB 05

In this example the malware uses the name dvb06a, but names used are variable. Usually installations will include at least one driver (*.SYS) and one library (*.DLL) and be installed by an executable (*.EXE).

Once installed, the malware components will typically neither be visible in the process list nor as files on disk, and special tools or rootkit-aware antimalware utilities are needed to uncover their presence.

The variables %SITE% and %SYSTEM% refers to specific web sites used, and the Windows System folder, respectively.