W32/Haotian.A!tr.bdr

Alias/esW32/Haotian.A!tr.bdr, W32/Haotian.A-bdr
Release DateNov 04, 2005
Detection Availability
Active DatabaseExtended Database
FortiGatelowhigh
FortiClient
FortiMailN/A
Current Antivirus Definition Database Version: 12.339
Description

Visible Symptoms

  • This backdoor Trojan installs itself to the local system -

    c:\program files\WWWeFly\haotian1.exe
    c:\program files\WWWeFly\hao1.ini

  • Creation of a folder in the Windows folder named "exefld" as in this example -

    C:\WINNT\exefld

  • The Trojan will bind to and listen on TCP ports 1150 - 1153, and 2000

  • The Trojan may connect to an IRC server named 'haotian55.3322.org' in order to receive communication from a malicious user

Detailed Analysis

This Trojan may be received in an email message as an attachment. If it is run, it will install itself locally -

c:\program files\WWWeFly\haotian1.exe
c:\program files\WWWeFly\hao1.ini

The Trojan could install other files such as these -

C:\Program Files\WWWeFly\Back.FIR
C:\Program Files\WWWeFly\Serpent.Exe
C:\Program Files\WWWeFly\hao1.in0

While the Trojan is resident in memory, it will listen on TCP port 2000 awaiting connection attempts from the Internet and a malicious user. The Trojan may also connect to an IRC server named 'haotian55.3322.org' in order to receive communication from a malicious user. This Trojan may download other files from web sites and store them into the folder

C:\WINNT\exefld

Loading at Windows Startup
The Trojan will modify the registry so it can load and run as a service. The following are examples of registry adjustments made by the Trojan; the actual paths specified will vary depending on the actual path of Windows installation -

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HAOTIAN
"NextInstance" = 01, 00, 00, 00

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HAOTIAN\0000
"Class" = LegacyDriver
"ClassGUID" = {8ECC055D-047F-11D1-A537-0000F8753ED1}
"ConfigFlags" = 00, 00, 00, 00
"DeviceDesc" = haotian
"Legacy" = 01, 00, 00, 00
"Service" = haotian

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HAOTIAN\0000\Control
"*NewlyCreated*" = 00, 00, 00, 00
"ActiveService" = haotian

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\haotian
"ErrorControl" = 00, 00, 00, 00
"ImagePath" = C:\Program Files\WWWeFly\haotian1.exe
"ObjectName" = LocalSystem
"Start" = 02, 00, 00, 00
"Type" = 10, 01, 00, 00

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\haotian\Enum
"0" = Root\LEGACY_HAOTIAN\0000
"Count" = 01, 00, 00, 00
"NextInstance" = 01, 00, 00, 00

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\haotian\Security
"Security" = (hex values)

Mitglieder Installation
This Trojan may also include W32/Mitglieder and extract additional files to the System32 folder -

c:\WINNT\system32\hleader_dll.dll
c:\WINNT\system32\hloader_exe.exe

The Trojan then registers itself to run at Windows startup via a registry key modification -

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"auto__hloader__key" = C:\WINNT\System32\hloader_exe.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"auto__hloader__key"=C:\WINNT\System32\hloader_exe.exe

The Trojan waits for the system to restart or for another user to log off and back on before attempting to perform any actions. After the Trojan loads on restart of Windows, it loads the .DLL component into the Web browser Internet Explorer (iexplore.exe) process space to help avoid detection by process monitors and other debugging tools.

The .DLL component (hleader_dll.dll) serves as a database of web links the Trojan will use to retrieve binary files.

 
Reference: ID - 105154