Discovered: March 12, 2003
Updated: February 13, 2007 11:44:19 AM
Also Known As: HackerDefender [McAfee]
Type: Trojan Horse
Systems Affected: Windows
Antivirus Protection Dates
Backdoor.HackDefender is a backdoor Trojan component that hides processes, services, and files.
- Initial Rapid Release version March 12, 2003
- Latest Rapid Release version July 10, 2019 revision 004
- Initial Daily Certified version March 12, 2003 revision 003
- Latest Daily Certified version July 10, 2019 revision 007
- Initial Weekly Certified release date March 12, 2003
The Backdoor.HackDefender package consists of two files:
- Hxdefxxx.exe, which is the backdoor component.
- Hxdefxxx.ini, which is the backdoor configuration file.
- The xxx represents a number from 026 to 071.
- The client portion of this backdoor, which Symantec antivirus products detect, is named Bdclixxx.exe.
Backdoor.HackDefender hooks various APIs in application processes to hide the specified processes, services, and files. The configuration file controls this action.
When Backdoor.HackDefender is activated, it does the following:
- Registers itself as a service, causing the system to execute the backdoor every time you restart the computer.
- Causes the service control manager to create the registry key:
This key contains the configuration information, such as its display name, "HXD Service," for the backdoor service.
- Inventories all the processes on the system. The Trojan injects its own code into their memory and hooks various APIs.
- Waits for you to launch other processes, into which the Trojan will also inject its own code, as well as hook their APIs.
Backdoor.HackDefender will hook the APIs for the following files:
Backdoor.HackDefender hooks the APIs by first allocating a memory area inside a host process. Then, the Trojan injects its own code and handler functions into that area.
Then, Backdoor.HackDefender will inventory the list of APIs, placing a jump instruction at the beginning of every API.
When a program executes any of the hooked APIs, the jump instruction transfers control to the Trojan's handler function (residing in the allocated memory area), which then calls the hooked API through a stub function. When the original API returns the handler function, the Trojan performs its processing and filtering processes (for example, excluding a specific file from FindFirstFile/FindNextFile API), and then returns.
The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.
- Update the virus definitions.
- Restart the computer in Safe mode.
- Delete the key that was added to the registry. (This may only be possible with earlier versions of the Trojan.)
- Run a full system scan and delete all the files detected as Backdoor.HackDefender.
1. Updating the virus definitions
Symantec Security Response fully tests all the virus definitions for quality assurance before they are posted to our servers. There are two ways to obtain the most recent virus definitions:
- Running LiveUpdate, which is the easiest way to obtain virus definitions: These virus definitions are posted to the LiveUpdate servers once each week (usually on Wednesdays), unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, refer to the Virus Definitions (LiveUpdate).
- Downloading the definitions using the Intelligent Updater: The Intelligent Updater virus definitions are posted on U.S. business days (Monday through Friday). You should download the definitions from the Symantec Security Response Web site and manually install them. To determine whether definitions for this threat are available by the Intelligent Updater, refer to the Virus Definitions (Intelligent Updater).
The Intelligent Updater virus definitions are available here. For detailed instructions on how to download and install the Intelligent Updater virus definitions from the Symantec Security Response Web site, click here.
2. Restarting the computer in Safe mode
All the Windows 32-bit operating systems, except Windows NT, can be restarted in Safe mode. For instructions on how to do this, read the document, "How to start the computer in Safe Mode ."
3. Deleting the key from the registry
CAUTION : Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry ," for instructions.
NOTE: This may only be possible with earlier versions of the Trojan.
- Click Start, and then click Run. (The Run dialog box appears.)
- Type regedit
Then click OK. (The Registry Editor opens.)
- Navigate to and delete the key:
- Exit the Registry Editor.
4. Scanning for and deleting the infected files
- Start your Symantec antivirus program and make sure that it is configured to scan all the files.
- For Norton AntiVirus consumer products: Read the document, "How to configure Norton AntiVirus to scan all files."
- For Symantec AntiVirus Enterprise products: Read the document, "How to verify that a Symantec Corporate antivirus product is set to scan All Files."
- Run a full system scan.
- If any files are detected as infected with Backdoor.HackDefender, click Delete.
Writeup By: Atli Gudmundsson