Windows backdoor downloads destructive routines
Finnish anti-virus software producer F-Secure has reported a Windows backdoor, Haxdoor.KI, which has recently started downloading malware, at the behest of which the botnet operator can damage a Windows installation beyond repair. The backdoor has been infiltrated onto the systems of potential victims within the last few days via e-mail. The e-mails were written in German and Swedish and referred to an invoice in the attachment - as is now usual, this was an executable file, which installs the malware.
Haxdoor.KI has a plethora of functions, such as scouting for e-mail passwords, recording of access details for online payment systems and download routines which allow further software to be installed onto the infected system. In addition, the malware hides from the system APIs and security software using rootkit techniques. It also tries to terminate various security software programs and desktop firewalls.
Using a specially constructed URL, the backdoor is at present accessing a server located in Russia with the address skynet.info. The software being offered by this address has recently changed. The program samki.exe is able, at a sign from the backdoor's "administrator", to damage Windows beyond repair.
A genuine destruction function is unusual in modern viruses, worms and trojans. Virus writers and their paymasters are usually concerned with gaining control of the system without being discovered for the longest possible time - this allows them to use their botnet from infected computers for longer to send lucrative spam or phishing e-mails or to blackmail companies and institutions using distributed denial of service attacks.
How widely the malware is distributed remains unclear. Nevertheless, Windows users who are not sure whether they may have opened an e-mail attachment purporting to be an invoice should check and if necessary disinfect their computer using an up to date virus scanner or a clean boot medium. More information on safe e-mailing can be obtained from the heisec Emailcheck.
- Haxdoor.KI, analysis by F-Secure