Skip navigation.
Home

TrojanHaxdoor

| |

TrojanHaxdoor
MD5SUM: 7a961a17bf7f04d51c266634d0d10e5a
SHA1SUM: 3b306e98b54eaba5893086254cf2ed716e8e7088
SHA256SUM: 42e56bc95c04e3a1928f9c7b4403d74e2093d82e10708f8bf23b346b0c65651e

PACKER: FSG v2
REF: Submitted by MythX
DATE FOUND: 02/14/06
VECTOR: OC Submission
THREAT: TrojanHaxdoor (as identified by multiple AV Vendors)
CME #: N/A
SIZE (Pack) 12.7 KB
Size (Unpack) 97.0 KB

(Results via VirusTotal.com - Virusscan.Jotti.org - Norman SandBox Live )

AntiVir: Nothing
ArcaVir: Nothing
Avast: Nothing
AVG: Nothing
Avira: Nothing
BitDefender: BehavesLike:Trojan.FirewallBypass
QuickHeal: (Suspicious) - DNAScan
ClamAV: Nothing
Dr. Web: Nothing
eTrust-Iris: Win32/Haxdoor.Variant!Trojan
eTrust-Vet: Win32/Haxdoor!generic
Fortinet: Haxdor!tr
F-Prot: Nothing
Ikarus: IM-Worm.Win32.Lewor.D
Kaspersky: Trojan-Spy.Win32.Haxspy.p
McAfee: Nothing
NOD32v2: a variant of Win32/Spy.Goldun.GU
Norman: W32/Haxdoor.SN
Panda: Suspicious file
Sophos: Troj/Haxdor-Fam
Symantec: Nothing
TheHacker: Nothing
UNA: Nothing
VBA32: suspected of Trojan-PSW.LdPinch.9

NOTES:

Binded listeners on TCP ports 13537 and 61270
Dropped and loaded two DLLs ( C:\WINDOWS\system32\mmxtcpip.sys and C:\WINDOWS\system32\tcpwrk.dll (into Explorer))
SOCKS Proxy

Connections:

208.254.1.72
207.171.166.37 166-37.amazon.com.
205.188.137.89 kdc.uas.aol.com.
72.14.203.99
66.98.250.38 diamond.emeraldweb.us.
64.233.167.147
64.233.163.99

GET /%s?param=cmd&socks=%u&https=%u HTTP/1.0
User-Agent: Windows Updater
Host: %s

Cheers,
Tebo

i forgot to add

the mmxtcpip.sys is started as a service and it adds itself to the firewall StandardProfile key so you don't get asked to Unblock it.