No announcement yet.

I need haxdoor

  • Filter
  • Time
  • Show
Clear All
new posts

  • I need haxdoor

    I am trying to develop a tool that will remove the haxdoor virus. There is a new flavor out that is not detected by norton, but spybot catches it. You know you have the particular strain if there is a protected hidden file named draw32.dll in your system directory. Neither will remove it. I have run into it 3 times now in the last month. Do me a favor and if anyone picks it up let me know (email me) and I'll tell you which files to email and how to do it. In return I'll give you a copy of the removal tool (or assist you in formatting your drive ). Thanks in advance.

  • #2
    Get a DOS disk and boot to dos, many viruses will not survive the 16 bit environment and can be easily removed at that point. If you are NTFS there are other tools.


    • #3
      Yeah, but

      I need a copy of the executable and associated files. I have been able to fix this virus at one clients house, and lost on two others. The particular strain I am trying to find is vicious. It opens a backdoor, logs key strokes and destroys sectors on the hard drive as the payload. It also uses some very interesting auto start techniques including installing legacy services. I am looking for the virus to create a removal tool. I need to run it on a throwaway machine and study the registry changes, file reads and writes and movement and alteration of system services. Thanks in advance.


      • #4
        Hang a Server box on the Internet on a public IP with no protection at all. It's still the wild wild west out there, you may catch it in under 24 hours.


        • #5
          Haxdoor.. doesn't do anything unless it's told to do so, it's a trojan horse ..up to and including L variant with no easily uploadable/changeable payload as a few other nasty strains had. Information you request is found here -As for virii/executables, most of those in the community will not just wantonly send .exe/source of that sort to another unless they're trusted with it.

          My take:

          Removal: easy
          Headache factor: moderate
          Reason to format: No



          • #6
            Good Idea putting a computer on the net. I'll try that although I think it's transmitted via email. The version I'm looking for is not described in the link posted. It's similar but very different. I've worked with viri and computer security for 15 years now and it's one of the worst I've seen. I'm not asking for source, I'm asking for a malicious executable. Seems like it shouldn't be a problem. Not much trust involved there. Just want someone to rename it with a .tmp extension.

            Oh and the virus did drop it's payload on one clients system without being "told" to. It was not connected to the network at the time and the file system was destroyed.

            This virus has many many features including hiding files from windows explorer, legacy services for autostart, a runtime service creation to vary the name of one or two services for each computer, winlogon notify, tricklers and a very nasty executable named vtd_16.exe that runs hidden. In the strain I'm looking for it moves itself around and disables the forensic tools I use (sysinternals). It even noted in the keystroke logger which programs I was using to detect it. Norton, Housecall and Sophos were unable to detect it. Spybot detected the presence of the draw32.dll. I was able to remove it in one case because I used the file verification tool to check .sys files in the system32 directory and then looked each one up on google to verify each non signed file.