[Dshield] New Variant of Backdoor.Haxdoor

Charles F. Pigeon cpigeon at cybershift.com
Wed Aug 16 21:39:16 GMT 2006


Interesting, yesterday's Symantec Corporate definitions saw nothing wrong
with the file you provided (heuristics maxed) I installed today's
definitions it finds the virus no problem. However they mark it as a variant
from July 23 and was updated last on the 24th..  Guess they didn't bother to
update the database on this one...

Charles Pigeon

Systems Engineer

CyberShift, Inc.

cpigeon at cybershift.com 

Office - 973-364-0480 x3219

Cell - 973-902-7725

http://www.cybershift.com

-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of Chris Wright
Sent: Wednesday, August 16, 2006 5:16 PM
To: 'General DShield Discussion List'
Subject: Re: [Dshield] New Variant of Backdoor.Haxdoor

Most vendors have added the new Haxdoor variant to their db's today...

Here is AVG's entry for it:

Virus Encyclopedia

BackDoor.Generic3.GBC!CME-482
BackDoor.Generic3.GBC!CME-482
CME-482


This worm spreads by internet exploiting MS Windows Server Service
vulnerability described in MS Security Bulletin MS06-040.

Installation:
When the worm is launched it copies itself as wgareg.exe to Windows System
Directory and registers itself under name Windows Genuine Advantage
Registration Service as service with automatic startup type in
HKLM\SYSTEM\ControlSet001\Services\wgareg key in Windows Registry.

Worm also changes value in entry "EnableDCOM" to "n" in
HKLM\software\microsoft\ole key in Windows Registry which disables DCOM
protocol.

In case of WinXP and Win2003 Server worm changes automatic startup type of
Windows Firewall/Internet Connection Sharing (ICS) service in
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess key to manual startup
which disables Windows Firewall.

Spreading: internet
Worm stores its copyes in shared folders, searches IP addresses and when it
finds a vulnerable computer it uses the exploit for downloading a copy of
itself and its launching.

*********

I've now moved the Virus to one of my servers (since I didn't consider how
many of you would ask me for a copy !! :)  )

http://www.yaps4u.net/dshield/Z3566043.zip

U/N: virus
PWD: virus

(Yeah I know it looks daft posting U/N and PWD posting to a public forum,
but its just to stop the casual browser from hitting that folder)

_________________________________________

SANS Network Security 2006 - Las Vegas NV October 1st-9th.
Wide selection of 1-6 Day Courses. Top Instructors!  

Details: isc.sans.org/clickcount.php?ad=1
(use Brochurcode "ISC")

"Best IT Security return on Investment" (Mario Chiock, Schlumberger)
_______________________________________________



-----
This message is intended solely for the personal and confidential use of the designated recipient. This message may be legally privileged or confidential. If the reader of this message is not the intended recipient or an agent responsible its delivery, you are hereby notified that you have received this document in error. Any review, dissemination or copying of this message is strictly prohibited. Internet communications are not secure and, therefore, CyberShift, Inc. does not accept any legal responsibility for the contents of this message. Any views or opinions presented are solely those of the author and do not necessarily represent those of CyberShift, Inc. unless specifically stated.



More information about the list mailing list