[Dshield] New Variant of Backdoor.Haxdoor

Jenkins, Matt mjenkins7 at fairmontstate.edu
Wed Aug 16 02:38:00 GMT 2006

I just received this variant also.  I updated Symantec's definitions and it still does not detect it.  Who should these samples be sent to?  I looked all over Symantec's site and cannot find any address to use for sending new samples to.


From: list-bounces at lists.dshield.org on behalf of Chris Wright
Sent: Tue 8/15/2006 6:12 PM
To: 'General DShield Discussion List'
Subject: [Dshield] New Variant of Backdoor.Haxdoor

Martin Forest posted a message on 26th July about a new virus.
(Backdoor.Haxdoor.O or variant there of)

Just had a new variant drop in one of my spamtraps that wasn't picked up by
Email me off list if you want the zip/binary.
Ran through VirusTotal and it appears to be quite new:

AntiVir 08.15.2006  no virus found
****Authentium 4.93.8 08.15.2006 W32/Haxdoor.LB at bd
Avast 4.7.844.0 08.15.2006  no virus found
AVG 386 08.15.2006  no virus found
BitDefender 7.2 08.15.2006  no virus found
****CAT-QuickHeal 8.00 08.14.2006 (Suspicious) - DNAScan
ClamAV devel-20060426 08.15.2006  no virus found
DrWeb 4.33 08.15.2006  no virus found
eTrust-InoculateIT 23.72.98 08.15.2006  no virus found
eTrust-Vet 30.3.3021 08.15.2006  no virus found
Ewido 4.0 08.15.2006  no virus found
****Fortinet 08.15.2006 suspicious
****F-Prot 3.16f 08.15.2006 security risk named W32/Haxdoor.LB at bd
F-Prot4 08.15.2006  no virus found
Ikarus 08.15.2006  no virus found
Kaspersky 08.15.2006  no virus found
McAfee 4830 08.15.2006  no virus found
Microsoft 1.1560 08.14.2006  no virus found
****NOD32v2 1.1707 08.15.2006 a variant of Win32/Haxdoor
****Norman 5.90.23 08.15.2006 Suspicious_F.gen
Panda 08.15.2006 Suspicious file
Sophos 4.08.0 08.15.2006  no virus found
****Symantec 8.0 08.15.2006 Backdoor.Trojan
TheHacker 08.14.2006  no virus found
UNA 1.83 08.15.2006  no virus found
****VBA32 3.11.0 08.15.2006 suspected of Trojan-Dropper.Microjoin.2
VirusBuster 4.3.7:9 08.15.2006 no virus found

The email has a similar format to the previous one:

Has a zip file with an executable within, named in my case Z3566043.zip

<begin mail>
Dear Customer,

Thank you for shopping at our shop !
This e-mail is to inform you that your order has been shipped out.
The following information is for your reference (see details in the
* Order No.:  Z3566043
* Order Date:  08/13/2006
   SUBTOTAL : $1,769.99
   SALESTAX : $0.00
   SHIPPING : $16.81
   TOTAL    : $1,786.80
* Ship Via:  FDX Overnight Delivery

[Ship Date :] 08/14/2006 [Tracking No:] 708745655472 Please note that if
your order includes more than one package, the packages may not be delivered
at the same time due to the shipping carrier's schedule and the delivery
method, and this is out of our control.
In addition, backordered items will be shipped separately.
You may check the status of your package's progress at our website.
Simply click on "Customer Service", then log into the "Member Center".
Customers who leave comments for us at either ResellerRatings.com or
Pricegrabber will be eligible to receive a flash drive or other cool prize!
FOUR drawings will take place every month -- one drawing from each review
site on the 1st and the 15th of every calendar month.
Thank you for shopping with us!
15% restocking fee applies to all refunds. All products must be returned in
like-new condition, including original packaging and all documentation and
accessories. Charges will be applied for all missing accessories or parts.
Our shop will not accept items that have been physically damaged or misused.
Return periods for different product categories range from zero to 30 days.
<end mail>


SANS Network Security 2006 - Las Vegas NV October 1st-9th.
Wide selection of 1-6 Day Courses. Top Instructors! 

Details: isc.sans.org/clickcount.php?ad=1
(use Brochurcode "ISC")

"Best IT Security return on Investment" (Mario Chiock, Schlumberger)

More information about the list mailing list