> Spyware Encyclopedia Page 64 > Hacker Defender

Hacker Defender removal

Spyware Hacker Defender Information
Name: Hacker Defender Category: Trojan Creator Date: 2003-10-16 Author: Holy_Father Coded in: Delphi and Assembly. Dangerous: Yes

Hacker Defender is Trojan Creator - spyware.
You should remove it from your system as soon as possible.

Hacker Defender description by Holy_Father:

Creator: Hacker defender v0.2.1 - english readme Main Hacker defender v0.2.1 by Holy_Father Hacker defender is rootkit for Windows NT 4.0, Windows 2000 & Windows XP. Main code was written in Delphi 6. Functions for new thread are written in assembler. application uses adapted LDE32 LDE32, Length-Disassembler Engine, 32-bit, (x) 1999-2000 Z0MBiE special edition for REVERT utility version 1.05 Usage >hxdef021.exe [inifile] default hxdef021.ini is used if run without specifying the inifile Idea Main idea of this application was to use API functions WriteProcessMemory and CreateRemoteThread to create a new thread in all running processes. New thread will rewrite some functions in system modules (mostly kernel32.dll) and inject fake code which will check API results & change this result in specific cases. Application must be absolutely hidden for all others. Application installs hidden backdoors & register as hidden system service. Version TODO - extend backdoor (create admin part) - net functions for backdoor - run root process on system level 0.2.1 + always run as service 0.2.0 + system service installation + hiding in database of installed services + hidden backdoor + no more working with windows 0.1.1 + hidden in tasklist + usage - possibility to specify name of inifile x found & then fixed bug in communication x fixed bug in using advapi - found bug with debuggers 0.1.0 + infestation of system services + smaller, tidier, faster code, more stable application x fixed bug in communication 0.0.8 + hiding any file + infestation of new processes - can´t infect system services - bug in communication Hooked API List of API functions which are changed: Kernel32.Find1stFileExW Kernel32.FindNextFileW Kernel32.CreateProcessW Ntdll.NtQuerySystemInformation (class 5) WS2_32.recv WS2_32.WSARecv WSOCK32.recv Kernel32.ReadFile Advapi32.EnumServicesStatusW Advapi32.EnumServicesStatusA Inifile There are more settings in this version. Inifile must contain three parts: [Hidden Table], [Root Processes] & [Hidden Services]. Hidden Table is a list of any file & directories which should be hidden. There´s no chance to find those any file & directories. Applications in this list will be hidden in tasklist. Root Processes is a list of applications which will be immune versus infestation. You can see hidden any file, directories & applications only with these root applications. So, root processes are for rootkit admins. Hidden Services is a list of service names which will be hidden in the database of installed services. Service name for the main rootkit application is HackerDefender021. Backdoor Rootkit hooks some API functions connected with receiving packets from the net. If incoming data equals to 512 bits long key the shell instance is created & next incoming data are redirected to this shell. Because rootkit hooks all process in system all TCP ports on servers will be backdoors. This backdoor will work only on servers where incoming buffer is larger or equal to 512 bits. But this feature is on almost all standard servers like Apache, IIS, Oracle. So, backdoor is created & it´s hidden because its packets go via common servers on the system. So, you´re not able to find it with classic portscanner & this backdoor can easily go via firewall. Exception in this are classic proxies which are protocol oriented for e.g. FTP or HTTP. During tests on IIS services was found that HTTP server does not log any of this connection, FTP & SMTP servers log only disconnection at the end. You´ve to use special client if wanna connect to the backdoor. Application bdcli021.exe is used for this. usage: bdcli021.exe host port Known Bugs Only one bug is known. Processes, which are debugged in the moment, can´t be infect, because their debugger has exclusive rights for them. The infestation will lose if the process is debugged during infestation. So, it´ll not be changed & see everything. I think this isn´t a serious bug, because there´s only small chance to apply this. I need help with solving this problem. It´s not serious, but i´ve no idea how to fix it. Holy_Father

This Trojan Creator is also known as:

•Backdoor.HacDef.021.
• Backdoor.HacDef.026.
• Backdoor.HacDef.030.
• Backdoor.HacDef.033.
• Backdoor.HacDef.037.
• Backdoor.HacDef.050.
• Backdoor.HacDef.051.
• Backdoor.HacDef.073.a.
• Backdoor.HacDef.084.
• Backdoor.Win32.HacDef.084 - named by Kaspersky.
• Bck/HacDef.C - named by Panda.
• Win32/HacDef.084 trojan - named by Eset.

>> Delete Hacker Defender automatically - Download Spyware Doctor

Hacker Defender Removal Instructions

Kill the following processes

bdcli021.exe, hxdef021.exe, hxdef030.exe, hxdef033.exe, hxdef037.exe, hxdef050.exe, hxdef051.exe

Remove the following files

bdcli021.exe, bdcli100.dpr, driver.c, driver.h, driver.res, driver.sys, hxdef021.exe, hxdef021.ini, hxdef030.exe, hxdef030.ini, hxdef033.exe, hxdef033.ini, hxdef037.exe, hxdef037.ini, hxdef050.exe, hxdef050.ini, hxdef051.exe, hxdef051.ini, hxdef073.ini, hxdef100.2.ini, hxdef100.dpr, hxdef100.ini, rdrbs100.dpr, rdrbs100.res, read it.txt, readmecz.txt, readmeen.txt, readmefr.txt, sources, ujqcompress.pas, ulist.pas, uprocapi.pas, usockets.pas, usysutils-case.inc, usysutils-numstrconv.inc, usysutils.pas, utcp.pas, w32hackdefi.vex.

Bookmark Hacker Defender page

Previous Spyware: Remove Hacker Brazil 1.0

Next Spyware: Remove Hacker Defender 0.21