My Bitdefender
  • 0 Shopping Cart


Facebook Twitter Google Plus


634880 B
(OneCare: Worm:Win32/Pushbot.gen Symantec: Backdoor.Sdbot FProt: W32/Backdoor2.DCKA)


Presence of the following file: %system%\wauclt.exe

Presence of the following registry value, pointing to the file described above:  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Generic Host

Unusual internet activity

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Lutas Andrei Vlad, virus researcher

Technical Description:

This backdoor comes with an icon identical to that of an image; when executed, it will display a message-box, saying that "The picture cannot be displayed". It will then install itself on the system, by creating a new copy inside %system%\wauclt.exe, and registering it at startup by adding the following registry value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Generic Host. The main executable is packed and is 634880 Bytes in length.

Once installed, it will connect to an IRC channel and will start listening to commands that a remote attacker may send. Tasks it can perform depending on these commands are:

- spread using MSN
- update itself, by downloading new variants
- download and execute other files sent by the attacker
- edit files on the attacked computer
- retrieve various information about the local machine, as IP address, host name, OS version, IM client used, active processes or active threads

The malware has a self-protection mechanism ; in order to avoid triggering to much attention, it may disable himself for a certain amount of time; The following messages will be sent to the attacker: "!!!Security!!!. Lamer detected. coming back in 24hrs, download and update disabled." or "!!!Security!!!. Lamer detected. coming back next reboot, cya.".

The malware will keep the attacker informed regarding any action it takes, by sending detailed information about the malicious tasks it performs.