Last Updated: 2005-10-12 20:05:57 UTC
by Patrick Nolan (Version: 1)
Since I then knew of only 2 haxdoor versions which create the SAFEMODE cleaning issue (flattening is still preferred here), and since this cleaning issue doesn't seem to have created any significant AV Vendor issues in the middle of this years malware fe$tival, I dropped a line to some AV acquaintences about IR response problems these two variants create.
To make a long story short, F-Secure took a look at the second "safe mode" variant and said "Yes, this variant uses the similair registry keys/values. Haxdoor indeed does run in safemode. Symantec's recommendation about recovery console is probably the easiest way to delete haxdoor without any special tools. F-secure Blacklight also can identify and rename haxdoor's files. So I'd recommend users to try that first. It is far easier to use than recovery console."
And if your AV vendor does or does not address this issue, please drop me a line. Thanks!
Also, thanks very much Lorna, Tom and Jarkko!.
F-Secure BlackLight Beta
Symantec Backdoor.Haxdoor.E, "Discovered on: August 01, 2005"
Tom's analysis mentioning the second variant is in the Handler's Diary September 22nd 2005, see Follow the Bouncing Malware IX: eGOLDFINGER