Backdoor.Htbot

Backdoor.Htbot Description

Backdoor.Htbot is a threatening software that allows a remote attacker to gain access and the ability to send commands to a compromised computer. As the name implies, threats like Backdoor.Htbot provides a covert way through which it may control computers and access them remotely. The trojan may grow in complexity as it sees more development or more variants being developed, ranging from limited functions to those that may allow almost every action to be performed on an infected computer.

A computer with a backdoor of this kind installed into it might as well be considered slaved to the attackers, essentially a 'bot.' A network of slaved computers of this kind are referred to as a botnet. Backdoor.Htbot may possess the ability to:

  • Collect information on the users and the system and any devices attached to it.
  • Terminate and run processes and tasks.
  • Download and upload files.
  • Report on its status.
  • Open remote command line shells.
  • Perform DDoS attacks.
  • Change system settings.
  • Shut down and restart the affected computers.

Backdoor.HtBot may also create files on infected PCs, such as the following:

  • %LOCALAPPDATA%\lix\winlogon-svc.exe
  • %LOCALAPPDATA%\lix\winsmss.exe

At times, Backdoor.HtBot may also modify the registry so it achieves persistence by starting up on every system boot-up, using the following:

  • In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • Sets value: "Windows BitLocker Drive Encryption Service"
  • With data: "%LOCALAPPDATA%\lix\winsmss.exe"

The Backdoor.HtBot malware also uses code injection to make itself harder to detect and remove. If you see any of the following files and modifications present on your machine, then this may be a sign that Backdoor.HtBot is present in the system:

  • %LOCALAPPDATA%\lix\winlogon-svc.exe
  • %LOCALAPPDATA%\lix\winsmss.exe

Registry modifications such as:

  • In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • Sets value: "Windows BitLocker Drive Encryption Service"
  • With data: "%LOCALAPPDATA%\lix\winsmss.exe"