Virus Database

Backdoor.Haxdoor.o

Description Backdoor.Haxdoor.o

This is a backdoor remote administration program. It spreads via the Internet using infected messages when commanded to by the author/user of the program. It is packed using FSG; the compressed file is 35792 bytes in size and the uncompressed file is 103936 bytes.
Installation
Once launched, the program installs itself in the Windows system directory as
w32_ss.exe
. It then installs the other program modules to the victim machine:
debugg.dll - main module
sdmapi.sys *
boot32.sys *
c3.dll *
c3.sys *
c4.sys *
Note: Files marked with an asterisk * will be installed only on systems running Windows NT/ 2000/ XP
The files are installed in the Windows system directory as follows:
System (Windows 9x)
System32 (Windows NT/2000/XP)
The program then registers itself in the system registry.
In systems running Windows 9x:
[HKEY_LOCAL_MACHINESystemCurrentControlSetControlMPRServicesTestService]
DllName="debugg.dll"
EntryPoint="MemManager"
StackSize=0
In systems running Windows NT/2000/XP:
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifydebugg]
DllName="debugg.dll"
Startup="MemManager"
Impersonate=1
Asynchronous=1
MaxWait=1
Payload:
The program opens port 16661 and waits for client machines to connect. It has a wide range of remote administration commands, the main function being to intercept passwords on the victim machine and send them to the creator/ user of the program.
Mass mailing:
The program will mass mail messages if commanded to by the client machine. The contents of messages and attachment type are determined by the program's user and will vary widely.

Check other viruses! Be aware! Use Antiviral Software

RagDoll.942

Description RagDoll.942

It is not a dangerous memory resident parasitic virus. It copies itself into EMS memory, hooks INT 21h and writes itself to the end of EXE files that are executed. Being debugged the virus halts PC. The virus detects TBAV memory resident anti-virus monitor, and displays:
TbDriver, TBAV TSR utilities driver (C) Copyright 1992-94 Thunderbyte BV.
_ Program not supported.

The virus also contains the text string:
Rag Doll Virus by Sx (c) 1995 AeroSmith Rulze!!

Rager.1383

Description Rager.1383

These are dangerous memory resident parasitic viruses. They hook INT 21h and write themselves to the end of EXE files that are executed. On executing the LOGIN utility the virus depending on the system timer decrypts and displays the message, and then reboots the computer:
********** Warning ! **********
Novell NetWare report : Hardware A30 error detected.
Registers :
AX :2134 BX :3C23 CX :1841 DX :5421
CS :2451 DS :2023 ES :538A SS :6C8B
SI :46AE DI :94B4 SP :4541 BP :491C
Try restart file-server,if it will not give effect,
switch off your network and call trained service-people.
Press any key to restart this computer.

The virus also contains the text:
NetWare virus from Avenge (tm) family .
(C)Rager , Simferopol State University

Home