Link to home
Start Free TrialLog in
Avatar of cgcsa
cgcsa

asked on

HackerDefender Virus/worm

Has anyone run into a worm called hackerdefender  version 1.0  ?  This drops a package hxdef100.exe and then starts hidden services and hides itself.
I have it on an exchange 2000 server. I have it isolated but cannot remove it. Various solutions are out there in white papers but I'm wondering if anyone has run into this one before.
Avatar of sirbounty
sirbounty
Flag of United States of America image

Personally - no.
Have you tried these manual removal steps?

Kill these running processes with Task Manager
backdoor.hacdef.a.exe
bdcli026.exe
bdcli100.exe
hxdef026.exe
hxdef100.exe
rdrbs100.exe

Remove these files (if present) with Windows Explorer:
backdoor.hacdef.a.exe
bdcli026.exe
bdcli100.exe
hxdef026.exe
hxdef026.ini
hxdef100.2.ini
hxdef100.exe
hxdef100.ini
rdrbs100.exe
readmecz.txt
readmeen.txt
readmefr.txt

ref: http://www.pestpatrol.com/pestinfo/b/backdoor_hacdef.asp
Avatar of cgcsa
cgcsa

ASKER

My Symantec picks up  hxdef100.exe and hxdefdrv.sys
It quarantines hxdefdrv.sys and will not quarantine hxdef100.exe which it requests to delete.
It then is unable to delete the file.
In windows explorer you cannot see hxdef100.exe to delete it (even if you enable view hidden files etc).
I cannot list it in a command promt or dir it.
even if I issue the command del hxdef100.exe it says it cannot find it.

On reboot it triggers the hxdefdrv.sys again.

My next step is to try start the exchange server in safe mode and try to delete it manually.

There are various recommendations...I've been through pest patrol...and others.
This is a very very naughty worm...probably the worst to get rid of yet as it is designed to start hidden services and also to hide itself.
In all the readups I've done I see no one who has actually removed it successfully without doing a complete reformat.
I'm just wondering if there is someone out there who has dealt with it.


Try this: http://www.perfectdrivers.com/local/msconfigxp/msconfig.exe
Run msconfig and remove anything suspicous from the startup tab.

And/or post the log from  HijackThis -->  http://www.spychecker.com/program/hijackthis.html
Avatar of cgcsa

ASKER

I have run taskinfo2003 looking for services but this virus hides the services it is running.

You are about to meet your Waterloo sirbounty :)   Here below is the virus source code as produced on a Czech website.  If you read through this and the FAQs in section7 it will definitely shake you up... this is a nightmare and I suspect it may have been laid in on a lot of machines and no one knows...especially if the virus is renamed so it can be hidden from av scans... I'm a senior network admin. I've had three other very knowledgable guys look at it and what we want to do is get the date the file was dropped on the system but we cannot see the hxdef100.exe file whatsover.

>             Hacker Defender 1.0 + SOURCE!
>             @ :: worthy ::     Jan 07 2004, 17:11 (UTC+0)
>
>             hoglund writes: HF released Hacker Defender 1.0 w/ source on new years at the stroke of midnight.
>
>             Here is the readme:
>
>             ======================[ Hacker defender - English readme ]======================
>
>             NT Rootkit
>             ----------
>
>             Authors: Holy_Father
>             Ratter/29A
>             Version: 1.0.0
>             Birthday: 01.01.2004
>             Home: ,http://rootkit.host.sk, http://hxdef.czweb.org
>
>             Betatesters: ch0pper
>             aT4r
>             phj34r
>             unixdied
>             rebrinak
>             GuYoMe
>             ierdna
>             Afakasf
>
>             Readme: Czech & English by holy_father
>             French by GuYoMe
>
>             =====[ 1. Contents ]============================================================
>
>             1. Contents
>             2. Introduction
>             2.1 Idea
>             2.2 Licence
>             3. Usage
>             4. Inifile
>             5. Backdoor
>             5.1 Redirector
>             6. Technical issues
>             6.1 Version
>             6.2 Hooked API
>             6.3 Known bugs
>             7. Faq
>             8. Files
>
>             =====[ 2. Introduction ]========================================================
>
>             Hacker defender (hxdef) is rootkit for Windows NT 4.0, Windows 2000
>             and Windows XP, it may also work on latest NT based systems.
> Main code is written in Delphi 6. New functions are written in assembler.
> Driver code is written in C. Backdoor and redirector clients are coded mostly
> in Delphi 6.
>
>             program uses adapted LDE32
>             LDE32, Length-Disassembler Engine, 32-bit, (x) 1999-2000 Z0MBiE special edition for REVERT tool version 1.05
>             program uses Superfast/Supertiny Compression/Encryption library
>             Superfast/Supertiny Compression/Encryption library.
>             (c) 1998 by Jacky Qwerty/29A.
>
>             =====[ 2.1 Idea ]===============================================================
>
>             The main idea of this program is to rewrite few memory segments in all
>             running processes. Rewriting of some basic modules cause changes in processes
>             behaviour. Rewriting must not affect the stability of the system or running
>             processes. Program must be absolutely hidden for all others. Now the user is able
>             to hide files, processes, system services, system drivers, registry keys and
>             values, open ports, cheat with free disk space. Program also masks its changes
>             in memory and hiddes handles of hidden processes. Program installs hidden
>             backdoors, register as hidden system service and installs hidden system driver.
>             The technology of backdoor allowed to do the implantation of redirector.
>
>             =====[ 2.2 Licence ]============================================================
>
>             This project in version 1.0.0 is open source.
>             And of course authors are not responsible for what you're doing with Hacker defender.
>
>             =====[ 3. Usage ]===============================================================
>
>             Usage of hxdef is quite simple:
>
>             >hxdef100.exe [inifile]
>             or
>             >hxdef100.exe [switch]
>
>             Default name for inifile is EXENAME.ini where EXENAME is the name of
>             executable of main program without extension. This is used if you run hxdef
>             without specifying the inifile or if you run it with switch (so default inifile is hxdef100.ini).
>
>             These switches are available:
>
>             -:installonly - only install service, but not run
>             -:refresh - use to update settings from inifile
>             -:noservice - doesn't install services and run normally
>             -:uninstall - removes hxdef from the memory and kills all
>             running backdoor connections
>             stopping hxdef service does the same now
>
>             Example:
>             >hxdef100.exe -:refresh
>
>             Hxdef with its default inifile is ready to run without any change
>             in inifile. But it's highly recommended to create your own settings. See
>             4. Inifile section for more information about inifile.
>             Switches -:refresh and -:uninstall can be called only from original
>             exefile. This mean you have to know the name and path of running hxdef
>             exefile to change settings or to uninstall it.
>
>             =====[ 4. Inifile ]=============================================================
>
>             Inifile must contain nine parts: [Hidden Table], [Root Processes],
>             [Hidden Services], [Hidden RegKeys], [Hidden RegValues], [Startup Run],
>             [Free Space], [Hidden Ports] and [Settings].
>             In [Hidden Table], [Root Processes], [Hidden Services] a [Hidden
>             RegValues] can be used character * as the wildcard in place of strings end.
>             Asterisk can be used only on strings end, everything after first asterisks is
>             ignored. All spaces before first and after last another string characters are
>             ignored.
>
>             Example:
>             [Hidden Table]
>             hxdef*
>
>             this will hide all files, dirs and processes which name start with "hxdef".
>
>             Hidden Table is a list of files, directories and processes which should
>             be hidden. All files and directories in this list will disappear from file
>             managers. Programs in this list will be hidden in tasklist.  Make sure main
>             file, inifile, your backdoor file and driver file are mentioned in this list.
>
>             Root Processes is a list of programs which will be immune against
>             infection. You can see hidden files, directories and programs only with these
>             root programs. So, root processes are for rootkit admins. To be mentioned in
>             Root Processes doesn't mean you're hidden. It is possible to have root process
>             which is not hidden and vice versa.
>
>             Hidden Services is a list of service and driver names which will be
>             hidden in the database of installed services and drivers.  Service name for the
>             main rootkit program is HackerDefender100 as default, driver name for the main
>             rootkit driver is HackerDefenderDrv100. Both can be changed in the inifile.
>
>             Hidden RegKeys is a list of registry keys which will be hidden.  Rootkit
>             has four keys in registry: HackerDefender100,  LEGACY_HACKERDEFENDER100,
>             HackerDefenderDrv100, LEGACY_HACKERDEFENDERDRV100 as default.  If you rename
>             service name or driver name you should also change this list.
>             First two registry keys for service and driver are the same as its
>             name. Next two are LEGACY_NAME. For example if you change your service name to
>             BoomThisIsMySvc your registry entry will be LEGACY_BOOMTHISISMYSVC.
>
>             Hidden RegValues is a list of registry values which will be hidden.
>
>             Startup Run is a list of programs which rootkit run after its startup.
>             These programs will have same rights as rootkit. Program name is divided from
>             its arguments with question tag. Do not use " characters.  Programs will
>             terminate after user logon. Use common and well known methods for starting
>             programs after user logon. You can use following shortcuts here:
>             %cmd% - stands for system shell exacutable + path
>             (e.g. C:\winnt\system32\cmd.exe)
>             %cmddir% - stands for system shell executable directory
>             (e.g. C:\winnt\system32\)
>             %sysdir% - stands for system directory
>             (e.g. C:\winnt\system32\)
>             %windir% - stands for Windows directory
>             (e.g. C:\winnt\)
>             %tmpdir% - stands for temporary directory
>             (e.g. C:\winnt\temp\)
>
>             Example:
>             1)
>             [Startup Run]
>             c:\sys\nc.exe?-L -p 100 -t -e cmd.exe
>
>             netcat-shell is run after rootkit startup and listens on port 100
>
>             2)
>             [Startup Run]
>             %cmd%?/c echo Rootkit started at %TIME%>>%tmpdir%starttime.txt
>
>             this will put a time stamp to temporary_directory\starttime.txt
>             (e.g. C:\winnt\temp\starttime.txt) everytime rootkit starts
>             (%TIME% works only with Windows 2000 and higher)
>
>             Free Space is a list of harddrives and a number of bytes you want to
>             add to a free space. The list item format is X:NUM where X stands for the
>             drive letter and NUM is the number of bytes that will be added to its number of
>             free bytes.
>
>             Example:
>             [Free Space]
>             C:123456789
>
>             this will add about 123 MB more to shown free disk space of disk C
>
>             Hidden Ports is a list of open ports that you want to hide from
>             applications like OpPorts, FPort, Active Ports, Tcp View etc.  It has at most 2
>             lines. First line format is TCP:tppport1,tcpport2,tcpport3 ..., second line
>             format is UDP:udpport1,udpport2,udpport3 ...
>
>             Example:
>             1)
>             [Hidden Ports]
>             TCP:8080,456
>
>             this will hide two ports: 8080/TCP and 456/TCP
>
>             2)
>             [Hidden Ports]
>             TCP:8001
>             UDP:12345
>
>             this will hide two ports: 8001/TCP and 12345/UDP
>
>             3)
>             [Hidden Ports]
>             TCP:
>             UDP:53,54,55,56,800
>
>             this will hide five ports: 53/UDP, 54/UDP, 55/UDP, 56/UDP and 800/UDP
>
>
>             Settings contains eigth values: Password, BackdoorShell,
>             FileMappingName, ServiceName, ServiceDisplayName, ServiceDescription,
>             DriverName and DriverFileName. Password which is 16 character string used when working with backdoor
>             or redirector. Password can be shorter, rest is filled with spaces.
>             BackdoorShell is name for file copy of the system shell which is created by backdoor in temporary directory.
>             FileMappingName is the name of shared memory where the settings for hooked processes are stored.
>             ServiceName is the name of rootkit service.
>             ServiceDisplayName is display name for rootkit service.
>             ServiceDescription is description for rootkit service.
>             DriverName is the name for hxdef driver.
>             DriverFileName is the name for hxdef driver file.
>
>             Example:
>             [Settings]
>             Password=hxdef-rulez
>             BackdoorShell=hxdefá$.exe
>             FileMappingName=_.-=[Hacker Defender]=-._
>             ServiceName=HackerDefender100
>             ServiceDisplayName=HXD Service 100
>             ServiceDescription=powerful NT rootkit
>             DriverName=HackerDefenderDrv100
>             DriverFileName=hxdefdrv.sys
>
>             this mean your backdoor password is "hxdef-rulez", backdoor will copy system
>             shell file (usually cmd.exe) to "hxdefá$.exe" to temp. Name of shared memory
>             will be "_.-=[Hacker Defender]=-._". Name of a service is "HackerDefender100",
>             its display name is "HXD Service 100", its description is "poweful NT rootkit".
>             Name of a driver is "HackerDefenderDrv100". Driver will be stored in a file
>             called "hxdefdrv.sys".
>
>             Extra characters |, , :, \, / and " are ignored on all lines except
>             [Startup Run], [Free Space] and [Hidden Ports] items and values in [Settings]
>             after first = character. Using extra characters you can make your inifile
>             immune from antivirus systems.
>
>             Example:
>             [H>a/"ble]
>             >h"xdef"*
>
>             is the same as
>
>             [Hidden Table]
>             hxdef*
>
>             see hxdef100.ini and hxdef100.2.ini for more examples
>
>             All strings in inifile except those in Settings and Startup Run are case insensitive.
>
>             =====[ 5. Backdoor ]============================================================
>
>             Rootkit hooks some API functions connected with receiving packets
>             from the net. If incoming data equals to 256 bits long key, password
>             and service are verified, the copy of a shell is created in a temp, its
>             instance is created and next incoming data are redirected to this shell.
>             Because rootkit hooks all process in the system all TCP ports on all
>             servers will be backdoors. For example, if the target has port 80/TCP open for
>             HTTP, then this port will also be available as a backdoor.  Exception here is
>             for ports opened by System process which is not hooked. This backdoor will
>             works only on servers where incoming buffer is larger or equal to 256 bits. But
>             this feature is on almost all standard servers like Apache, IIS, Oracle.
>             Backdoor is hidden because its packets go through common servers on the system.
>             So, you are not able to find it with classic portscanner and this backdoor can
>             easily go through firewall. Exception in this are classic proxies which are
>             protocol oriented for e.g. FTP or HTTP.
>             During tests on IIS services was found that HTTP server does not log
>             any of this connection, FTP and SMTP servers log only disconnection at the end.
>             So, if you run hxdef on server with IIS web server, the HTTP port is probably
>             the best port for backdoor connection on this machine.
>             You have to use special client if want to connect to the backdoor.
>             Program bdcli100.exe is used for this.
>
>             Usage: bdcli100.exe host port password
>
>             Example:
>             >bdcli100.exe www.windowsserver.com 80 hxdef-rulez
>
>             this will connect to the backdoor if you rooted www.windowsserver.com before
>             and left default hxdef password
>
>             Client for version 1.0.0 is not compatible with servers in older version.
>
>             =====[ 5.1 Redirector ]=========================================================
>
>             Redirector is based on backdoor technology. First connection packets
>             are same as in backdoor connection. That mean you use same ports as for
>             backdoor. Next packets are special packets for redirector only.  These packets
>             are made by redirectors base which is run on users computer.  First packet
>             of redirected connection defines target server and port.
>             The redirectors base saves its settings into its inifile which name
>             depends on base exefile name (so default is rdrbs100.ini). If this file doesn't
>             exist when base is run, it is created automatically. It is better not to modify
>             this inifile externaly. All settings can be changed from base console.
>             If we want to use redirector on server where rootkit is installed,
>             we have to run redirectors base on localhost before. Then in base console we
>             have to create mapped port routed to server with hxdef.  Finally we can connect
>             on localhost base on chosen port and transfering data.  Redirected data are
>             coded with rootkit password. In this version connection speed is limited with
>             about 256 kBps. Redirector is not determined to be used for hispeed connections
>             in this version. Redirector is also limited with system where rootkit run.
>             Redirector works with TCP protocol only.
>             In this version the base is controled with 19 commands. These are not
>             case sensitive. Their function is described in HELP command.  During the base
>             startup are executed commands in startup-list. Startup-list commands are edited
>             with commands which start with SU.
>             Redirector differentiate between two connection types (HTTP and other).
>             If connection is other type packets are not changed. If it is HTTP type Host
>             parametr in HTTP header is changed to the target server.  Maximum redirectors
>             count on one base is 1000.  Redirector base fully works only on NT boxes. Only on NT program has
>             tray icon and you can hide console with HIDE command. Only on NT base can be
>             run in silent mode where it has no output, no icon and it does only commands
>             in startup-list.
>
>             Examples:
>             1) getting mapped port info
>
>             >MPINFO
>             No mapped ports in the list.
>
>             2) add command MPINFO to startup-list and get startup-list commands:
>
>             >SUADD MPINFO
>             >sulist
>             0) MPINFO
>
>             3) using of HELP command:
>
>             >HELP
>             Type HELP COMMAND for command details.
>             Valid commands are:
>             HELP, EXIT, CLS, SAVE, LIST, OPEN, CLOSE, HIDE, MPINFO, ADD, DEL,
>             DETAIL, SULIST, SUADD, SUDEL, SILENT, EDIT, SUEDIT, TEST HELP ADD
>             Create mapped port. You have to specify domain when using HTTP type.
>             usage: ADD SERVER> [TYPE] [DOMAIN]>HELP EXIT
>             Kill this application. Use DIS flag to discard unsaved data.
>             usage: EXIT [DIS]
>
>             4) add mapped port, we want to listen on localhost on port 100, rootkit
>             is installed on server 200.100.2.36 on port 80, target server is www.google.com
>             on port 80, rootkits password is bIgpWd, connection type is HTTP, ip address
>             of target server (www.google.com) - we always have to know its ip - is 216.239.53.100:
>
>             >ADD 100 200.100.2.36 80 216.239.53.100 80 bIgpWd HTTP www.google.com
>
>             command ADD can be run without parameters, in this case we are asked for every
>             parameter separately
>
>             5) now we can check mapped ports again with MPINFO:
>
>             >MPINFO
>             There are 1 mapped ports in the list. Currently 0 of them open.
>
>             6) enumeration of mapped port list:
>
>             >LIST
>             000) :100:200.100.2.36:80:216.239.53.100:80:bIgpWd:HTTP
>
>             7) datailed description of one mapped port:
>
>             >DETAIL 0
>             Listening on port: 100
>             Mapping server address: 200.100.2.36
>             Mapping server port: 80
>             Target server address: 216.239.53.100
>             Target server port: 80
>             Password: bIgpWd
>             Port type: HTTP
>             Domain name for HTTP Host: www.google.com
>             Current state: CLOSED
>
>              we can test whether the rootkit is installed with out password on mapping
>             server 200.100.2.36 (but this is not needed if we are sure about it):
>
>             >TEST 0
>             Testing 0) 200.100.2.36:80:bIgpWd - OK
>
>             if test failed it returns
>
>             Testing 0) 200.100.2.36:80:bIgpWd - FAILED
>
>             9) port is still closed and before we can use it, we have to open it with OPEN
>             command, we can close port with CLOSE command when it is open, we can use flag
>             ALL when want to apply these commands on all ports in the list, current state
>             after required action is written after a while:
>
>             >OPEN 0
>             Port number 0 opened.
>             >CLOSE 0
>             Port number 0 closed.
>
>             or
>
>             >OPEN ALL
>             Port number 0 opened.
>
>             10) to save current settings and lists we can use SAVE command, this saves
>             all to inifile (saving is also done by command EXIT without DIS flag):
>
>             >SAVE
>             Saved successfully.
>
>
>             Open port is all what we need for data transfer. Now you can open your
>             favourite explorer and type http://localhost:100/ as url. If no problems you
>             will see how main page on www.google.com is loaded.
>             First packets of connection can be delayed up to 5 seconds, but others
>             are limited only by speed of server, your internet connection speed and by
>             redirector technology which is about 256 kBps in this version.
>
>             =====[ 6. Technical issues ]====================================================
>
>             This section contains no interesting information for common users. This
>             section should be read by all betatesters and developpers.
>
>             =====[ 6.1 Version ]============================================================
>
>             TODO - unify backdoor, redirector and file manager
>             - write new better backdoor
>             - backdoor proxy support
>             - hiding in remote sessions (netbios, remote registry)
>             - hidden memory type change (advance memory hiding)
>             - hook NtNotifyChangeDirectoryFile
>
>             1.0.0 + open source
>
>             0.8.4 + French readme
>             + hook of NtCreateFile to hide file operations
>             + hxdef mailslot name is dynamic
>             + switch -:uninstall for removing and updating hxdef
>             + -:refresh can be run from original .exe file only
>             + new readme - several corrections, more information, faq
>             + shortcuts for [Startup Run]
>             + free space cheating via NtQueryVolumeInformationFile hook
>             + open ports hiding via NtDeviceIoControlFile hook
>             + much more info in [Comments] in inifile
>             + supporting Ctrl+C in backdoor session
>             + FileMappingName is an option now
>             + Root Processes running on the system level
>             + handles hiding via NtQuerySystemInformation hook class 16
>             + using system driver
>             + antiantivirus inifile
>             + more stable on Windows boot and shutdown
>             + memory hiding improved
>             - found bug in backdoor client when pasting data from clipboard
>             x found and fixed bug in service name
>             x found and fixed increasing pid bug fixed via NtOpenProcess hook
>             x found and fixed bug in NtReadVirtualMemory hook
>             x found and fixed several small bugs
>             x found and fixed backdoor shell name bug fix
>
>             0.7.3 + direct hooking method
>             + hiding files via NtQueryDirectoryFile hook
>             + hiding files in ntvdm via NtVdmControl hook
>             + new process hooking via NtResumeThread hook
>             + process infection via LdrInitializeThunk hook
>             + reg keys hiding via NtEnumerateKey hook
>             + reg values hiding via NtEnumerateValueKey hook
>             + dll infection via LdrLoadDll hook
>             + more settings in inifile
>             + safemode support
>             + masking memory change in processes via NtReadVirtualMemory hook
>             x fixed debugger bug
>             x fixed w2k MSTS bug
>             x found and fixed zzZ-service bug
>
>             0.5.1 + never more hooking WSOCK
>             x fixed bug with MSTS
>
>             0.5.0 + low level redir based on backdoor technique
>             + password protection
>             + name of inifile depends on exefile name
>             + backdoor stability improved
>             - redirectors conection speed is limited about 256 kBps,
>             imperfect implementation of redirector,
>             imperfect design of redirector
>             - found chance to detect rootkit with symbolic link objects
>             - found bug in connection with MS Termnial Services
>             - found bug in hidding files in 16-bit applications
>             x found and fixed bug in services enumeration
>             x found and fixed bug in hooking servers
>
>             0.3.7 + possibility to change settings during running
>             + wildcard in names of hidden files, process and services
>             + possibility to add programs to rootkit startup
>             x fixed bug in hidding services on Windows NT 4.0
>
>             0.3.3 + stability realy improved
>             x fixed all bugs for Windows XP
>             x found and fixed bug in hiding in registry
>             x found and fixed bug in backdoor with more clients
>
>             0.3.0 + connectivity, stability and functionality of backdoor improved
>             + backdoor shell runs always on system level
>             + backdoor shell is hidden
>             + registry keys hiding
>             x found and fixed bug in root processes
>             - bug in XP after reboot
>
>             0.2.6 x fixed bug in backdoor
>
>             0.2.5 + fully interactive console
>             + backdoor identification key is now only 256 bits long
>             + improved backdoor installation
>             - bug in backdoor
>
>             0.2.1 + always run as service
>
>             0.2.0 + system service installation
>             + hiding in database of installed services
>             + hidden backdoor
>             + no more working with windows
>
>             0.1.1 + hidden in tasklist
>             + usage - possibility to specify name of inifile
>             x found and then fixed bug in communication
>             x fixed bug in using advapi
>             - found bug with debuggers
>
>             0.1.0 + infection of system services
>             + smaller, tidier, faster code, more stable program
>             x fixed bug in communication
>
>             0.0.8 + hiding files
>             + infection of new processes
>             - can't infect system services
>             - bug in communication
>
>
>             =====[ 6.2 Hooked API ]=========================================================
>
>             List of API functions which are hooked:
>
>             Kernel32.ReadFile
>             Ntdll.NtQuerySystemInformation (class 5 a 16)
>             Ntdll.NtQueryDirectoryFile
>             Ntdll.NtVdmControl
>             Ntdll.NtResumeThread
>             Ntdll.NtEnumerateKey
>             Ntdll.NtEnumerateValueKey
>             Ntdll.NtReadVirtualMemory
>             Ntdll.NtQueryVolumeInformationFile
>             Ntdll.NtDeviceIoControlFile
>             Ntdll.NtLdrLoadDll
>             Ntdll.NtOpenProcess
>             Ntdll.NtCreateFile
>             Ntdll.NtLdrInitializeThunk
>             WS2_32.recv
>             WS2_32.WSARecv
>             Advapi32.EnumServiceGroupW
>             Advapi32.EnumServicesStatusExW
>             Advapi32.EnumServicesStatusExA
>             Advapi32.EnumServicesStatusA
>
>
>             =====[ 6.3 Known bugs ]=========================================================
>
>             There is one known bug in this version.
>
>             1)
>             Backdoor client may crash when you paste more data from clipboard using
>             rigth click to the console or using console menu. You can still paste the data
>             from clipboard using Ctrl+Ins, Shift+Ins if the program running in the console
>             supports this.
>
>             If you think you find the bug please report it to the public board
>             (or to betatesters board if you are betatester) or on .
>             But be sure you've read this readme, faq section, todo list and the board and
>             you find nothing about what you want to write about before you write it.
>
>             =====[ 7. Faq ]=================================================================
>
>             Because of many simple questions on the board I realize to create a faq
>             section in this readme. Before you ask about anything read this readme twice
>             and take special care to this section. Then read old messages on the board
>             and after then if you still think you are not able to find an answer for your
>             question you can put it on the board.
>
>             The questions are:
>
>             1) I've download hxdef, run it and can't get a rid of it. How can I uninstall
>             it if I can't see its process, service and files?
>             2) Somebody hacked my box, run hxdef and I can't get a rid of it. How can I
>             uninstall it and all that backdoors that were installed on my machine?
>             3) Is this program detected by antivirus software? And if yes, is there any way
>             to beat it?
>             4) How is that I can't connect to backdoor on ports 135/TCP, 137/TCP, 138/TCP,
>             139/TCP or 445/TCP when target box has them open?
>             5) Is there any way to have hidden process which file on disk is visible?
>             6) How about hiding svchost.exe and others I can see in tasklist?
>             7) I'm using DameWare and I can see all your services and all that should be hidden. Is this the bug?
>              But anyone can see my hidden files via netbios. What should I do?
>             9) Backdoor client is not working. Everything seems ok, but after connecting
>              I can't type anything and the whole console screen is black. What should I do?
>             10) When will we get the new version?
>             11) net.exe command can stop hidden services, is this the bug?
>             12) Is there any way to detect this rootkit?
>             13) So, how is it difficult to detect hxdef. And did somebody make a proggie that can do it?
>             14) So, how can I detect it?
>             15) Does the version number which starts with 0 mean that it is not stable version?
>             16) When will you publish the source? I've read it will be with the version 1.0.0, but when?
>             17) I want to be the betatester, what should I do?
>             18) Is it legal to use hxdef?
>             19) Is it possible to update machine with old hxdef with this version? Is it
>              possible without rebooting the machine?
>             20) Is it possible to update machine with this version of hxdef with a newer
>              version I get in future? Is it possible without rebooting?
>             21) Is it better to use -:uninstall or to use net stop ServiceName?
>             22) I really love this proggie. Can I support your work with a little donation?
>             23) Is there any chance to hide C:\temp and not to hide C:\winnt\temp?
>             24) I can see the password in inifile is plaintext! How is this possible?
>             25) If I have a process that is in Hidden Table and it listens on a port, will
>              this port be automatically hidden or should I put it to Hidden Ports?
>
>             Now get the answers:
>
>             1)
>             Q: I've download hxdef, run it and can't get a rid of it. How can I uninstall
>             it if I can't see its process, service and files?
>
>             A: If you left default settings you can run shell and stop the service:
>
>             >net stop HackerDefender100
>
>             Hxdef is implemented to uninstall completely is you stop its service. This does
>             the same as -:uninstall but you don't need to know where hxdef is.
>
>             If you changed ServiceName in inifile Settings, type this in your shell:
>
>             >net stop ServiceName
>
>             where ServiceName stands for the value you set to ServiceName in inifile.
>
>             If you forgot the name of the service you can boot your system from CD
>             and try to find hxdef inifile and look there for ServiceName value and then
>             stop it as above.
>
>             2)
>             Q: Somebody hacked my box, run hxdef and I can't get a rid of it. How can I
>             uninstall it and all that backdoors that were installed on my machine?
>
>             A: Only 100% solution is to reinstall your Windows. But if you want to do this
>             you'll have to find the inifile like in question 1) above.  Then after
>             uninstalling hxdef from your system go through inifile and try to find all
>             files that match files in Hidden Table. Then you should verify those files
>             and delete them.
>
>             3)
>             Q: Is this program detected by antivirus software? And if yes, is there any way
>             to beat it?
>
>             A: Yes, and not only the exefile is detected, few antivirus systems also
>             detect inifile and also driver file may be detected. The answer for second
>             question here is yes, you can beat it quite easily. On hxdef home site you can
>             find a tool called Morphine. If you use Morphine on hxdef exefile you will get
>             a new exefile which can't be detected with common antivirus systems. Inifile
>             is also designed to beat antivirus systems. You can add extra characters to it
>             to confuse antivirus systems. See 4. Inifile section for more info. Also see
>             included inifiles. There are two samples that are equal, but the first one is
>             using extra characters so it can't be detected by common antivirus systems.
>             Probably the best way is to use UPX before you use Morphine. UPX will reduce
>             the size of hxdef exefile and Morphine will make the antiantivirus shield.
>             See Morphine readme for more info about it.
>
>             4)
>             Q: How is that I can't connect to backdoor on ports 135/TCP, 137/TCP, 138/TCP,
>             139/TCP or 445/TCP when target box has them open?
>
>             A: As mentioned in 5. Backdoor section of this readme backdoor need server
>             with incomming buffer larger or equal to 256 bits. And also system ports may
>             not work. If you have a problem with find open port that works you can simply
>             run netcat and listen on your own port. You should add this netcat port to
>             Hidden Ports in inifile then.
>
>             5)
>             Q: Is there any way to have hidden process which file on disk is visible?
>
>             A: No. And you also can't have a hidden file on disk of process which is visible in the task list.
>
>             6)
>             Q: How about hiding svchost.exe and others I can see in tasklist?
>
>             A: This is really bad idea. If you hide common system processes your Windows
>             can crash very soon. With hxdef you don't need to name your malicious files
>             like svchost.exe, lsass.exe etc. you can name it with any name and add this
>             name to Hidden Table to hide them.
>
>             7)
>             Q: I'm using DameWare and i can see all your services and all that should be hidden. Is this the bug?
>
>             A: Nope. DameWare and others who use remote sessions (and or netbios) can see
>             hidden services because this feature is not implemented yet.  It's a big
>             difference between the bug and not implemented. See todo list on the web for
>             things that are not implemented yet.
>
>             Q: But anyone can see my hidden files via netbios. What should I do?
>
>             A: Put your files deeply into the system directories or to directories that are
>             not shared.
>
>             9)
>             Q: Backdoor client is not working. Everything seems ok, but after connecting
>             I can't type anything and the whole console screen is black.  What should I do?
>
>             A: You probably use bad port for connecting. Hxdef tries to detect bad ports
>             and disconnect you, but sometimes it is not able to detect you are using bad
>             port. So, try to use different port.
>
>             10)
>             Q: When will we get the new version?
>
>             A: Developers code this stuff in their free time. They take no money for this
>             and they don't want to get the money for this. There are only two coders right
>             now and we think this is enough for this project. This mean coding is not as
>             fast as microsoft and you should wait and don't ask when the new version will
>             be released. Unlike microsoft our product is free and we have good betatesters
>             and we test this proggie a lot, so our public version are stable.
>
>             11)
>             Q: net.exe command can stop hidden services, is this the bug?
>
>             A: Nope. It is not a bug, it is the feature. You still have to know the name
>             of the service you want to stop and if it is hidden the only who can know it
>             is the rootkit admin. Don't be scared this is the way how to detect you.
>
>             12)
>             Q: Is there any way to detect this rootkit?
>
>             A: Yes. There are so many ways how to detect any rootkit and this one is not
>             (and can't be) exception. Every rootkit can be detected. Only questions here
>             are how is it difficult and did somebody make a proggie that can do it?
>
>             13)
>             Q: So, how is it difficult to detect hxdef. And did somebody make a proggie
>             that can do it?
>
>             A: It is very very easy to detect this, but I don't know special tool that can
>             tell you that there is hxdef on your machine rigth now.
>
>             14)
>             Q: So, how can I detect it?
>
>             A: I won't tell you this :)
>
>             15)
>             Q: Does the version number which starts with 0 mean that it is not stable version?
>
>             A: No, it means that there are few things that are not implemented yet and that
>             the source is closed and under development.
>
>             16)
>             Q: When will you publish the source? I've read it will be with the version 1.0.0, but when?
>
>             A: I really don't know when. There are several things I want to implement
>             before releasing 1.0.0. It can take a six months as well as a year or longer.
>
>             17)
>             Q: I want to be the betatester, what should I do?
>
>             A: You should write me the mail about how can you contribute and what are your
>             abilities for this job and your experiences with betatesting.  But the chance to
>             be a new betatester for this project is quite low. Right now we have enough
>             testers who do a good job. No need to increase the number of them.
>
>             18)
>             Q: Is it legal to use hxdef?
>
>             A: Sure it is, but hxdef can be easily misused for illegal activities.
>
>             19)
>             Q: Is it possible to update machine with old hxdef with this version? Is it
>             possible without rebooting the machine?
>
>             A: It isn't possible without rebooting the machine, but you can update it when
>             you do a manual uninstall of that old version, reboot the machine and install
>             the new version.
>
>             20)
>             Q: Is it possible to update machine with this version of hxdef with a newer
>             version I get in future? Is it possible without rebooting?
>
>             A: Yes! You can use -:uninstall to totaly remove this version of hxdef without
>             rebooting. Then simply install the new version.
>
>             21)
>             Q: Is it better to use -:uninstall or to use net stop ServiceName?
>
>             A: The prefered way is to use -:uninstall if you have the chance. But net stop
>             will also does the stuff.
>
>             22)
>             Q: I really love this proggie. Can I support your work with a little donation?
>
>             A: We don't need it, but we will be you give your money to any of those
>             beneficent organisations in your country and write us the mail about it.
>
>             23)
>             Q: Is there any chance to hide C:\temp and not to hide C:\winnt\temp?
>
>             A: No. Create your own directory with a specific name and put it to the Hidden Table.
>
>             24)
>             Q: I can see the password in inifile is plaintext! How is this possible?
>
>             A: You migth think this is quite unsecure way to store password but if you hide
>             your inifile nobody can read it. So, it is secure. And it is easy to change
>             anytime and you can use -:refresh to change the password easily.
>
>             25)
>             Q: If I have a process that is in Hidden Table and it listens on a port, will
>             this port be automatically hidden or should I put it to Hidden Ports?
>
>             A: Only hidden ports are those in Hidden Ports list. So, yes,  you should put it in to Hidden Ports.
>
>             =====[ 8. Files ]===============================================================
>
>             An original archive of Hacker defender v1.0.0 contains these files:
>
>             hxdef100.exe 70 144 b - program Hacker defender v1.0.0
>             hxdef100.ini 3 872 b - inifile with default settings
>             hxdef100.2.ini 3 695 b - inifile with default settings, variant 2
>             bdcli100.exe 26 624 b - backdoor client
>             rdrbs100.exe 49 152 b - redirectors base
>             readmecz.txt 34 654 b - Czech version of readme file
>             readmeen.txt 35 956 b - this readme file
>             readmefr.txt 38 029 b - French version of readme file
>             src.zip 93 174 b - source
>
>             ===================================[ End ]======================================
>
> --------------------------------------------------------------------------------
Hi,
Suggest you follow sirbounty's comments but make sure you are not attached to a network and you boot in safe mode before running virus check or spyware check

Cheers
Ian
Okay, I did some reading and cleaning up of your post at the same time.
Seems like you've found the proverbial pandora's box here, eh?

Can I get a copy of your Hijack log?
Also - in the MSConfig file that I posted - if you run this, the services tab should have an option to "hide" non-MS services.
Click this and reboot and tell me if it's located...

Sounds like we're in for a long one here... :)
Avatar of cgcsa

ASKER

Yes this looks like something special. If you go to the website hxdef.czweb.org and read about this - this is no joke and a real threat to all systems as the mother of all worms if indeed it can hide itself so well...

This exchange server is running mail for a large company. We believe we have stopped whatever was going on but we are not sure. The package hxdef100.exe still appears in a virus scan and when the machine is rebooted it creates the hxdefdrv.sys file which we then quarantine.

Our intention is this. On the weekend we are going to take the machine down and we are then going to try to remove the file under a safe boot. We will at that time run your suggested programs msconfig just to see if it picks up anything we don't see with taskinfo2003. I will also run hijack at that time as well and get back to you here and post the log.

Symantec simply say remove the hxdef100.exe on a safe boot and it should be clear of the worm. I'm not entirely sure after reading up on this.

I've run msconfig and hijack on the testbed server which is an isolated duplicate machine. It is of course not infected and we will have a baseline to check services against if we detect other services running on the production server that we don't see on the testbed.

Stand by for more and thank you. I had just hoped there might be a subscriber out there who had specifically dealt with this and its removal. So we are all learning on this one.
 
Hi!

Have run into this "nice" piece of garbage - NO FUN!
The people at Spywareinfo.com are currently working on this - I don't know how much progress they've made,
in finding a way to deal with this.
cgcsa, thanks for the info!

Good luck!
cgcsa - one thing comes to mind off-hand...if the thing is recreating this sys file each time you boot - is it in the same folder?
If so - there may be a way to prevent its creation.  I'll give you an example:

Let's say that hxdefdrv.sys is created in C:\Winnt\system32 each time you reboot.  You said you're then able to quarintine it.  After that's does (or maybe work this through safe mode) - create a "folder" with the exact same name under there:  C:\winnt\system32\hxdefdrv.sys - now the file won't be able to be recreated and you may be able to inch forward with it...
Good luck!
One method that can work is to use Tripwire for Servers.
For eval...
http://www.tripwire.com/downloads/index.cfm
For details...
http://www.tripwire.com/products/servers/index.cfm

It can and will detect changes made to the system...whether stealth or not...
It does Change Detection and Management, Damage Assessment and Recovery and etc.
(I'm not a Tripwire salesman, but I find this product good and recommended for IT security)...

;-)

 
use avast antivirus it free and customizable
cgcsa -anything new here?
Avatar of cgcsa

ASKER

To bring you up to date:

This is a production mail server for a mid-sized organization. Taking it down is difficult...What we did the weekend before last was to shut it down and install a new copy of Norton 8.1 and AVF package 4.0 for Exchange. As you know there are certain restrictions on scanning mail stores etc.... Anyway we come up with zilch on the scan of \winnt this way. If we scan from another computer we pick up the hxdef100.exe and hxdefdrv.sys  - we quarantine the drv.sys and the def100 stays there.
We do not believe anyone is accessing from outside. We have set up monitoring on the packets through the router.  We found a file r-server.exe installed on May 8th about 2 hours before the system was brought down initially. We believe it was inserted INSIDE the network and that has been disabled. We are waiting/watching here to see if anything new develops. We may not try and remove hxdef100.exe   it may be too difficult to remove...from everyone we have spoken with no one can give us a clear answer exactly what to do. There is supposed to be a .ini file dropped with it...we have gone through all ini and see nothing.

The server continues to go down from time to time  - 3 times this week. What happens in the sequence is IIS services stop and then the pop server and the smtp server and imap all shut down. The server continues to run just fine with SQL application and file serving functions. We have correlated the IIS shutdowns with Outlook Web Access sessions...where the connecting client is infected.  The only OWA we have is via port 443 SSL. Now Microsoft aren't sure if one of their patches is the culprit.  All our patches are up to date so theoretically Sasser shouldn't affect us.

This is the toughest situation I've faced in 20 years where I cannot pin it down ... is the fact we found hacker defender totally coincidental to what else has gone on. We found the r-server.exe file had been installed...that's clearly hacking ... is the OWA issue totally independent...
Anyway we are reviewing it all and if I get to the root of it I'll post here....

I will try and run hijack this on it tomorrow...I have not run that yet on the production server...

Thanks.
Hi!
The people over at {Spywareinfo dot com} are making some progress in coming up with a fix for this.
However, they are at the point where they are telling people that it's not a good idea to use the
tentative fixes that have been created so far.
There also appear to be variants of this.
Also, there is some speculation as to some kind of connection with this and {Kool Web Search}.
Awaiting further developments.

Cheers and good luck!
One other note: there is definitely an ini. file - but it's invisible!
Nice!?!
If it's invisible, I can only think of 3 ways for that to happen...
1) the hidden attribute - easy enough to overcome
2) It's been added as a super-hidden file - easy registry hack to show those
3) It's been added as a hidden system file - not as easy, but still overcomable if you can locate the referencing INI file (not THE INI file, the one that makes it hidden)....
This could be very important - if you have a registry hack that's going to expose some of these files - there's
a number of people that would really like to have an idea of how to do it!!
Maybe, you would be kind enough to post it here - it might help!
Good luck!
Avatar of cgcsa

ASKER

OK Guys here is the Hijackthis Log for your comments:

Logfile of HijackThis v1.97.7
Scan saved at 6:56:21 PM, on 6/2/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\Program Files\Dell\OpenManage\OMSA\bin\dcevt32.exe
C:\Program Files\Dell\OpenManage\OMSA\bin\dcstor32.exe
C:\PROGRA~1\SAV\DefWatch.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\cba\pds.exe
C:\WINNT\System32\ismserv.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\Dell\OpenManage\Array Manager\mr2kserv.exe
C:\PROGRA~1\MICROS~4\MSSQL\binn\sqlservr.exe
C:\Program Files\OLAP Services\Bin\msmdsrv.exe
C:\PROGRA~1\SAV\Rtvscan.exe
C:\WINNT\system32\ntfrs.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\locator.exe
C:\Program Files\Symantec\SAVFMSE\SMSESrv.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Dell\OpenManage\iws\bin\win32\omaws32.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Dell\OpenManage\Array Manager\VxSvc.exe
C:\Program Files\Symantec\SAVFMSE\SMSECtrl.EXE
C:\Program Files\Symantec\SAVFMSE\SMSESp.exe
C:\Program Files\Symantec\SAVFMSE\SMSESp.exe
C:\Program Files\Symantec\SAVFMSE\SMSESp.exe
C:\Program Files\Symantec\SAVFMSE\SMSEUI.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wins.exe
C:\Program Files\Symantec\SAVFMSE\SMSELog.EXE
C:\WINNT\system32\svchost.exe
D:\SUS\wusync\WUSyncSvc.exe
C:\Program Files\Symantec\SAVFMSE\SMSESJM.EXE
C:\WINNT\System32\dns.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\Program Files\Symantec\SAVFMSE\SMSETask.exe
C:\WINNT\System32\modemshr.exe
C:\Program Files\Exchsrvr\bin\exmgmt.exe
C:\Program Files\Exchsrvr\bin\mad.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\Program Files\Microsoft Shared Fax\Bin\FXSSVC.exe
C:\PROGRA~1\MICROS~4\MSSQL\binn\sqlagent.exe
C:\WINNT\system32\MsgSys.EXE
C:\Program Files\Microsoft ISA Server\mspadmin.exe
C:\Program Files\Exchsrvr\bin\store.exe
C:\Program Files\Exchsrvr\bin\emsmta.exe
C:\PROGRA~1\Dell\OPENMA~1\oldiags\vendor\pcdoctor\bin\diagorb.exe
C:\WINNT\system32\logon.scr
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\rdpclip.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Downloads\Diagnostic_tools\HijackThis.exe

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [AuCaption] DSA OMSA Reminder
O4 - HKLM\..\Run: [MSConfig] C:\Downloads\Diagnostic_tools\msconfig.exe /auto
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SAV\vptray.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37917.5993634259
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = xxxxxxxx.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{268C3C0B-1AFB-4961-8D77-FF25BA6FC215}: NameServer = 204.101.251.1,209.226.175.236
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = xxxxxxxxxxxxx.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{268C3C0B-1AFB-4961-8D77-FF25BA6FC215}: NameServer = 204.101.251.1,209.226.175.236
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = xxxxxxxxxxxxxx.local
O17 - HKLM\System\CS2\Services\Tcpip\..\{268C3C0B-1AFB-4961-8D77-FF25BA6FC215}: NameServer = 204.101.251.1,209.226.175.236


Please note I hav replaced th domain name with xxxxxxxxx above...
Hi!

(Good to see somebody cover their Domain Name before they post!)
I'm probably just "swatting at flies", but could you take a look at the properties for the following:
C:\WINNT\System32\wins.exe
Good luck!
Well, if you're going to pick on wins.exe
why not pick on dns.exe and snmp.exe...

C:\WINNT\System32\dns.exe
C:\WINNT\System32\snmp.exe

They do look a little ... um - normal, but not normal?

Also - use this to show superhiddens...
http://www.winguides.com/registry/display.php/627/
Hi!
Thanks SB!
I don't know - I realize you're certainly a better judge of whether they're normal or not.
Like I said  - just "swatting at flies" - have seen wins.exe in some strange places.
Thanks for the info about WinGuides - as far as "superhidden" files I prefer things like -
reglite in conjunction with, killbox and maybe, findall - depends on the situation.
However, thanks for the information!
(Do you really think there's a potential problem with dns.exe and snmp.exe in this instance?)
Thanks and good luck!
I don't think there's a problem with them - no - but they're certainly worth looking into.
I haven't checked my E2k server yet (heading into the office now), but I didn't recall those running like that - so they look just a tad suspicious ('suspicious' being a bit too harsh though...)
Worth a look-see, I suppose...
:D
Avatar of cgcsa

ASKER

wins.exe is the windows naming service which I have running
dns is of course dns
and snmp is simple network management protocol...

Anything else in here?

Well, in my humble opinion - There really is nothing in your HijackThis log, that jumps right out, as being bad.
Maybe when SB gets another look at it - something will stand out.
Have to see if there's anything new going on with this {Hacker/Defender} garbage - of all the creative
programming someone could do, why do they come up with destructive things like that?!?
Nope - I'll agree, it appears fairly clean.
I know wins/dns/snmp are all services - just never seen them displayed in a HJT log, but then again, I've never run it against an E2k server...
Just wanted to check the properties to verify they are Microsoft's...

Have you also checked both your hosts/lmhosts files? (Start->Run->%systemroot%\system32\drivers\etc)
Curious if there is anything there, aside from what you may have entered...

Almost wish I'd get hit with this one - sounds very interesting... (Er, on my work systems - not my home ;) LOL.
Well, it looks like there are two preliminary fixes for this thing!
As you'll see, they're quite similar.
I can see where a combination of the two might work.
Apparently they have both worked - however, I don't know if they would in this case.
Remember - use at your own risk, backup, not for the "faint of heart", etc., etc,.etc,.! :)
------------------------------------------------------------------------------------------------------------------------
First Removal Method:

Basically, Hackdef is a kind of magic cloaking device for the browser hijack / malware.
Hackdef is capable of hiding files, folders, processes, open ports and registry entries.
This makes it tricky for any virus detection to find it.

In Win 2000 you must go into the recovery console.
Use the listsvc command to see a list of services runnin
The disable command can then be used to disable the HackDef services.
Typical services are: HackerDefender100 and HackerDefenderDRV100
Once these are disabled, you can boot into windows without HackDef running.
Then search the registry for the service names found and locate HackDef's
ini file.
Once you have located the ini file, this will show the garbage HackDef is hiding.

->-> The following appears to be a fix used on Win XP - however, people are of the opinion that it can be "modified"
     to use on Win 2000 <-<-

BOOT USING A CDROM drive and Windows setup disk.

Choose "Repair Installation" to skip setup.
Enter the partition you want to repair and administrator password.
You're in C:\Windows

Type the following commands...
 attrib -r hxdefdrv.sys
 del hxdefdrv.sys
 attrib -r svhost.exe
 del svhost.exe
 attrib -r winunins.exe
 del winunins.exe
 attrib -r winunins.ini
 del winunins.ini
 cd system32
 del inatjoy.dll

->-> At this point, I assume you reboot the computer into "Normal" mode (was not clear).<-<-
Next:
 Load up regedit (if it closes then make a copy of regedit.exe and rename it to something else then load that file up)
 Search for hacker or HackerDefender
 Delete all registry entries for HackerDefender
 Search for outhost
 Delete all registry entries for outhost (this is the url/search hijacker)
 Reboot

At this point you should be able to run HijackThis, Spybot S & D, Ad-Aware, etc.
(if there's a problem running HijackThis, try renaming it to a random name and then run it)
Some suggest doing an online scan at McAfee - probably a good idea.
-----------------------------------------------------------------------------------------------------------------------

Altenate Removal Method: (thank you {WinHelp2002})

Click Start, click Run, then type cmd
Then click OK
From the "command prompt" type
NET STOP HACKERDEFENDER100 (then press Enter)    Note: (that's) NET<space>STOP<space>HACKERDEFENDER100
If successful you should see: (wait 30 seconds or so)
"The service is not responding to the control function"

See if "winunins.ini" exists and open in Notepad
Paste the contents of "winunins.ini".
Place the file on your Desktop.

->-> What follows next, is the contents of a winunins,ini file <-<-
----------------------------------------------
[Hidden Table]
inatjoy.dll
motkrtin.dll
witadr.dll
winunins.exe
winunins.ini
svhost.exe
CWShredder*
HijackThis*
ProceXP*
Spybot*
msconfig*

[Root Processes]
svhost.exe
trj4j6js.exe
winunins.exe

[Hidden Services]
HackerDefender*
[Hidden RegKeys]
HackerDefender100
LEGACY_HACKERDEFENDER100
HackerDefenderDrv100
LEGACY_HACKERDEFENDERDRV100

[Hidden RegValues]

[Startup Run]
C:\WINDOWS\svhost.exe -sr -0

[Free Space]

[Hidden Ports]

[Settings]
Password=qweqwe
BackdoorShell=ddd.exe
FileMappingName=_.-=[PokuS]=-._
ServiceName=HackerDefender100
ServiceDisplayName=Windows System Uninstaller
ServiceDescription=Microsoft System Service
DriverName=HackerDefenderDrv100
DriverFileName=hxdefdrv.sys

[Comments]
-----------------------------------------------------------
Next:
Reboot your computer into "Safe" mode.
Enable "Show all files and folders", including "hidden" and "system"
Locate and delete the following:

hxdefdrv.sys
inatjoy.dll
motkrtin.dll
witadr.dll
winunins.exe
winunins.ini
svhost.exe (not "svchost.exe")
trj4j6js.exe
ddd.exe

Run Regedit and search for all instances of "HackerDefenderDrv100" (No Quotes!)
->-> probably, also, HackerDefender100 - from above?! <-<-
Highlight and delete all references found.
Search the entire registry until you receive the message - "Completed Search".
Then, do the same steps for all of the files listed above.

Note: If you cannot delete the registry keys (Access Denied)
then Right-click key and click Permissions.. Set Full Control to Allow everyone rights


While still in Safe Mode: Run a full system scan with McAfee (or your Anti-virus utility)
Restart normally and post a fresh HijackThis log.

Note: if for some reason "hxdefdrv.sys" seems to be running again in Safe Mode,
repeat the "net stop" command again and then delete the files.

At this point, a HijackThis scan may not show all the files listed above.

Have HijackThis fix all the "offending" entries.

Reboot your computer.
And, if running Win XP, Clear "System Restore",
Update and run McAfee Anti-virus and/or do an online scan.

Restart your computer and create a new "Restore Point"

Next go to Windows Update and install all the "Critical Updates".

Probably, at this point, run HijackThis again.

->-> Also, probably a good idea to clean out all the temp folders, empty the recycle bin
     at various points in this repair process <-<-
 
Other methods are in the works to deal with this, once again, awaiting developments.
Hope this helps!
Let us know!
Good luck!
Avatar of cgcsa

ASKER

Thank you for the above Rossfingall.
The suggested removal method is to start the server in console mode and go from there is the one suggested by Symantec. The real issue is that you don't know the name of the .ini file...it can be anything (see the description of the virus in toto above). Anyway since this is a serious server and has significant mail going through it, we are assessing whether to just bring in another server, duplicate the user base and transfer over the mail store and then proceed with cleaning up the problem afterwards.  I just don't have the stomach for fooling around on this one.

The really strange thing - and Symantec cannot answer it - is that Corporate edition 8.1 with the latest definitions does not pick up the two files hxdef100.exe and hxdefdrv.sys in the c:\\winnt\system32 folder HOWEVER if I scan the folder from another computer on the network using a standard workstation version of NAV2004, it picks up both files and allows me to quarantine the hxdefdrv.sys  but not the hxdef100.exe.  This is weird...

I will keep you all posted.
Thanks
Hi!
Just some new info from Spyware Weekly Newsletter concerning HackDef:
"Last month, I warned about a nasty new parasite that had been discovered. This parasite hides itself from Windows, is nearly impossible to detect and nearly impossible to remove.

It turns out our new parasite is protected by an open source NT rootkit called Hacker Defender. Hacker Defender installs a device driver which hooks the Windows API. It allows it to hide a directory with a particular name while allowing files to exist there, hide open ports from a port scanner while allowing connections to and from that port, hide processes in memory from process managers along with other cute tricks. Anything protected by Hacker Defender is a real pain to find and remove.

There is a possible method for removing this thing easily. This information is from a member of our message board who prefers to remain nameless. No guarantees that this will work.

In order to detect whether you are infected by HackDefender, please download this utility: http://bagpuss.swan.ac.uk/comms/RKDetectorv0%5B1%5D.62.zip 

If you are infected you can try the following: If your system drive (usually C:) is formatted with the FAT32 file system, simply create a bootable floppy, boot from it, and delete the directory from the command prompt.

If your system drive is formatted with the NTFS file system, download Bart's PE builder from http://www.nu2.nu/pebuilder/ in order to create a pre installed environment cd image. Burn that image and boot using the CD, use then the utilities inside the PE in order to delete this folder.

You can read more on HackDefender here: http://bagpuss.swan.ac.uk/comms/hxdef.htm 

It's also worth mentioning that if the computer in question boots more than one operating system and your other OS has access to that hard drive, then you can simply boot to the other OS and delete the directory and files with no interference."
{Thanks : Mike Healan!}

Good luck!


Hello cgcsa.  From what I have read on this post, so far it looks like no one has brought up PatchFinder.  I didn't look too far into it (since I don't really have any experience with dealing with this rootkit) but, I recommend checking it out.  

"Patchfinder is a sophisticated diagnostic utility designed to detected
system libraries and kernel compromises. Its primary use is to check if
the given machine has been attacked with some modern rootkits.

With this tool you should be able to detect even the newest versions of
such rootkits like: Hacker Defender, APX, Vaniquish, He4Hook, and many
more...

New release (2.x) of Patchfinder is the first version which is intended to
be not only a proof-of-concept code for developers, but also to be useful
tool for administrators. To make a proper use of the PF, every user should
read the attached PDF paper."  --quoted by Joanna Rutkowska

You can find and learn more about PatchFinder here:  http://www.rootkit.com/newsread.php?newsid=67

To me, it looks like a tool that could be beneficial towards your situation.  The PDF paper also has some informative things to say as well.  Hope this helps and best of luck.
ASKER CERTIFIED SOLUTION
Avatar of DarthMod
DarthMod
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
F-Secure is offering a free download of the beta version of Blacklight, their new software for detecting and removing rootkits, including hacker defender.

http://www.europe.f-secure.com/exclude/blacklight/index.shtml
Just wanted to add, sysinternals has a rootkitrevealer that will scan for this: http://www.sysinternals.com/Utilities/RootkitRevealer.html