Presence of the following file: %system%\wauclt.exe
Presence of the following registry value, pointing to the file described above: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Generic Host
Unusual internet activity
Please let BitDefender disinfect your files.
Lutas Andrei Vlad, virus researcher
This backdoor comes with an icon identical to that of an image; when executed, it will display a message-box, saying that "The picture cannot be displayed". It will then install itself on the system, by creating a new copy inside %system%\wauclt.exe, and registering it at startup by adding the following registry value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Generic Host. The main executable is packed and is 634880 Bytes in length.
Once installed, it will connect to an IRC channel and will start listening to commands that a remote attacker may send. Tasks it can perform depending on these commands are:
- spread using MSN
- update itself, by downloading new variants
- download and execute other files sent by the attacker
- edit files on the attacked computer
- retrieve various information about the local machine, as IP address, host name, OS version, IM client used, active processes or active threads
The malware has a self-protection mechanism ; in order to avoid triggering to much attention, it may disable himself for a certain amount of time; The following messages will be sent to the attacker: "!!!Security!!!. Lamer detected. coming back in 24hrs, download and update disabled.
" or "!!!Security!!!. Lamer detected. coming back next reboot, cya.
The malware will keep the attacker informed regarding any action it takes, by sending detailed information about the malicious tasks it performs.