New Haxdoor Variant

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Just thought I should tell everyone about a new Haxdoor variant I found
this morning, it appears to do everything just as Haxdoor does now ie:
Keylog's, opens a port for remote access and restarts the computer if
it is tampered with.
In addition it uses a silly looking "Google" screen block to prevent
access to any antivirus site referring to Haxdoor.
Turning off the automatically restart on error function in Windows XP
shows the below BSOD if your antivirus trys to clean it:

Stop 0x0000008E
rxx6ot.sys

The file names I have identifyed as part of this variant are:
rxx6ot.sys
rxx5ot.dll
rxx5ot.sys (mabey)

The service in the registry is registered as MMX Virtualization and
MMX2 Virtualization just as they are in the original Haxdoor

I have a copy of the first two if any antivirus firms want me to email
them to you.

In addition to the above problems this variant also uses Rootkit
functionality to prevent you from diagnosing it, I used the rootkit
uninstaller to locate them and then booted into a recovery console to
delete the rogue files.

If I can be of any other help feel free to email me:
Deane Jessep
Senior Systems Engineer
GCT
Hastings
New Zealand
deane@jessep.co.nz


Site Timeline