7/9: HacDef-F a New Backdoor Trojan
July 9, 2004

Troj/HacDef-F is a backdoor Trojan that is targeted at NT/2000/XP operating systems. As well as allowing unauthorized remote access to the victim's computer, this Trojan is able to hide information about the victim's system including files, folders, processes, services and registry entries.

When started the Trojan will copy itself to the Windows directory as svchost.exe, create and load a driver (hxdefdrv.sys) and set the following registry entries so as to auto start on system boot or user logon:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run Network Service = C:\\svhost.exe

Troj/HacDef-F intercepts various system services and attempts to terminate various security or monitoring processes. The Trojan also modifies the current internet start page and internet SearchAssistant.