Jump to content

Haxdoor Virus

herme3

By herme3
in Computer Science

 Share

Recommended Posts

herme3

herme3

Posted
Posted

Some of you might remember the thread I created a while ago when my computer was infected with the Haxdoor virus. This is a very bad virus, because none of the AntiVirus programs can delete it. It was a huge pain, but I finally found a way to delete it with the help of several SFN members, especially Dak and Cap'n Refsmmat. Well, it appears that Haxdoor is spreading again! It came into one of my other computers, but I deleted it using the same steps that I used the first time.

 

It will still log your keystrokes and send them to other servers. The IP addresses for the servers appear to be:

 

212.27.63.103

 

and

 

67.15.35.7

 

Why haven't these servers been shutdown yet? I sent the IP addresses to several major online security companies, but the servers are still running! The IP addresses go to apache servers without any content, so it seems pretty obvious that there is something suspicious about them. Can anyone trace these servers to see where they are located?

 

Just curious, but would it be illegal to hack into these servers that you know are illegally collecting personal information about people? I'm not a hacker, but I was just wondering because I'm sure that some of my personal information is on these servers. If the law wouldn't protect these illegal servers, it might help a lot of people if someone went in and wiped out all of the data in them.

Link to comment
Share on other sites
Klaynos

Klaynos

Posted
Posted
Some of you might remember the thread I created a while ago when my computer was infected with the Haxdoor virus. This is a very bad virus' date=' because none of the AntiVirus programs can delete it. It was a huge pain, but I finally found a way to delete it with the help of several SFN members, especially Dak and Cap'n Refsmmat. Well, it appears that Haxdoor is spreading again! It came into one of my other computers, but I deleted it using the same steps that I used the first time.

 

It will still log your keystrokes and send them to other servers. The IP addresses for the servers appear to be:

 

212.27.63.103

 

and

 

67.15.35.7

 

Why haven't these servers been shutdown yet? I sent the IP addresses to several major online security companies, but the servers are still running! The IP addresses go to apache servers without any content, so it seems pretty obvious that there is something suspicious about them. Can anyone trace these servers to see where they are located?

 

Just curious, but would it be illegal to hack into these servers that you know are illegally collecting personal information about people? I'm not a hacker, but I was just wondering because I'm sure that some of my personal information is on these servers. If the law wouldn't protect these illegal servers, it might help a lot of people if someone went in and wiped out all of the data in them.[/quote']

 

You'd probably have to contact the ISP which leases the IP to that connection to get it closed, they may well then just connect to another ISP, or be rooted servers, and the people who run them have no idea what's happening. and the chances are that there are many differnt strains of the virus around all giving differnt servers as soon as one is removed another is setup by someone etc...

 

And yes it would be illegal.

 

Also there is nothing that unuseuale about the Apache holding page on a server, many people leave it there for years...

Link to comment
Share on other sites
herme3

herme3

Posted
  • Author
Posted
You'd probably have to contact the ISP which leases the IP to that connection to get it closed, they may well then just connect to another ISP, or be rooted servers, and the people who run them have no idea what's happening. and the chances are that there are many differnt strains of the virus around all giving differnt servers as soon as one is removed another is setup by someone etc...

 

I'm not sure who the ISP is. The IP addresses have not been removed or changed.

 

And yes it would be illegal.

 

Why would the law be interested in protecting these servers? I'm sure that they contain personal information from everyone who had their computer infected by Haxdoor. These servers appear to still be receiving information. The creators of Haxdoor could probably access this information anytime they want, so somebody should find a way to delete it.

 

Also there is nothing that unuseuale about the Apache holding page on a server, many people leave it there for years...

 

Yes, but I looked at the logs of a security program I installed on my computer. I saw the Haxdoor virus sending data from my computer to those IP addresses.

Link to comment
Share on other sites
Klaynos

Klaynos

Posted
Posted

Why would the law be interested in protecting these servers? I'm sure that they contain personal information from everyone who had their computer infected by Haxdoor. These servers appear to still be receiving information. The creators of Haxdoor could probably access this information anytime they want' date=' so somebody should find a way to delete it.

[/quote']

 

Because the law protects everyone,.

 

Just to note it was just a comment about apache, I wasn't disputing that those IP's where really data collection servers, but they much just be a node to bounce the data off of, in which case I'm sure the ISP would still be interested in.

Link to comment
Share on other sites
Dak

Dak

Posted
Posted

How do you keep geting haxdoor, herme3? :D

 

 

FYI: Theres been a fix developed since you last got it... here it is, incase you get it again (might be worth running it on the machine you just cleaned, incase any left-over bits of haxdoor are still present).

 

d/l and install haxfix.exe.

 

It'll ask you to 'Insert the haxdoor notify subkey without the numbers,

and then press enter'... basically, one visable part of the rootkit is called random32.dll (or random16.dll for the newer ones) and is set to auto-run by a winlogon/notify reg-entry... so, look in your winlogon/notify key, find the random32.dll, and type the 'random' bit in.

 

eg, in your last example, avpe32.dll was set to run via a winlogon/notify entry, so you'd have entered 'avpe'

 

Then it should fix it for you.

 

If you're feeling in a complaining mood, then, aswell as what cap'n said, you might want to check out http://www.malwarecomplaints.info/index.php It has localised instructions on how to complain about malware/who to complain to, and also acts as a recepticle for complaints, so that they can be monitored by the relevent govournmental agencies. also, if you plonk the IPs up there, somone will either report them or add up a tutorial on how to report bad IP's, so that may do something to get the servers shut down, although tbh haxdoor's set up an IRC network... i dont really know anything about IRC, but its possible (probable?) that the IP's are just other infected machines, rather than the hackers own site.

 

Finally... if this is a work computer, i'd strongly reccomend reformat/reinstall.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.