Virus Database

Backdoor.Hacdef.b

Description Backdoor.Hacdef.b

This Trojan is a member of the Backdoor family of Trojans. It runs only under Windows NT, Windows 2000 and XP.
The Trojan has two files: a main component and a helper library.
The files may appear under a range of names: however, the names most commonly used are:
Main component:
isplog.exe
isplogger.exe
Helper library
isplogger.sys
hkrnlrdv.sys
hxdefdrv.sys
The main component file is 70144 bytes in size, and the helper library is 3328 bytes in size.
The program has a sleath function, which hides processes, files on disk, and also system registry values.
Installation
In order to install the backdoor on the system, this Trojan requires a configuration file (INI) that indicates which files and processes should be hidden, and also gives a password for remote access to the system.
The backdoor is installed on the system using the key:
-:installonly
Once the backdoor is launched, the Trojan extracts the helper library from itself and installs it in the same directory as the backdoor.
It registers itself as a service in the Windows system registry, and gains control each time the operative system is started.
It creates a key in the system register:
[HKLMSystemCurrentControlSetServicesSafeBoot
The backdoor service is registered as Minimal Network.
The backdoor installs API hooks in all active memory processes, and changes a large number of system APIs in order to mask its presence in the system.
AddAccessAllowedAce
AllocateAndInitializeSid
CloseHandle
closesocket
CreateFileA
CreateMailslotA
CreatePipe
CreateProcessA
CreateProcessW
CreateThread
DisconnectNamedPipe
DuplicateHandle
EnumServicesStatusA
EnumServicesStatusW
ExitThread
FindClose
FindFirstFileExW
FindNextFileW
FlushInstructionCache
FreeLibrary
GetCurrentProcess
GetEnvironmentVariableW
GetLastError
GetLengthSid
GetMailslotInfo
GetModuleFileNameA
InitializeAcl
InitializeSecurityDescriptor
IsBadReadPtr
LoadLibraryA
LoadLibraryExW
NtQuerySystemInformation
PeekNamedPipe
ReadFile
recv
ResumeThread
send
SetLastError
SetSecurityDescriptorDacl
Sleep
TerminateProcess
TerminateThread
VirtualAlloc
VirtualFree
VirtualProtect
VirtualQuery
WaitForMultipleObjects
WriteFile
WSAEventSelect
WSAGetLastError
WSAIoctl
WSARecv
The backdoor does not open any ports on the victim machine when launching. The functions which hook and replace the APIs allow the backdoor to monitor all incoming traffic; it attempts to detect commands from a remote client in the traffic. If the correct password is received, it opens the port specified by the author/ user of the Trojan to be used for remote access. This way the backdoor evades any firewall protection on the victim machine.
If you detect any of the Trojan components on your machine, you are strongly recommended to contact your antivirus manufacturer's technical support service.

Check other viruses! Be aware! Use Antiviral Software

Mini_HHHH.246

Description Mini_HHHH.246

It is a harmless nonmemory resident parasitic virus. It searches for .COM files and writes itself to the end of the file. It contains the text string:
The MiNi-HHHH

Minimax

Description Minimax

It is a harmless nonmemory resident parasitic virus. It searches for .COM files of the current directory and infects them. The feature of this virus consist of the algorithm of the infection: the virus does not append to the end of the file, but reads the file contents into the virus body:
+-------------------------------------------+
¦3 bytes - ¦ file body ¦ virus body ¦
¦jmp to virus ¦ (read buffer) ¦ 122 bytes ¦
+-------------------------------------------+
¦<---------- total - 31125 bytes ---------->¦

The total length of any of infected files is equal to 31125 bytes, if the file length is above than the 'read buffer', the virus does not infect it.
Being executed the infected file searches for not infected .COM file, infects it, then it copies the host file body to the normal position, and jumps to the code of the file.

Home