My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Backdoor.Sadhound.A

LOW
MEDIUM
11,296 bytes (dropper), 7,200 bytes
(Backdoor.Welkom (Kaspersky) Troj/SadHound-A (Sophos), Multidropper-CE (McAfee), TROJ_SADHOUND.A (Trend))

Symptoms

- The file MSWINS0CK.EXE (7,200 bytes) in %SysDir% (Windows\System folder in Windows 9x systems or WinNT\System folder on WinNT based systems)
- A text file (that the backdoor runs so the victim may see it) in Windows\Temp folder containing the text:
There's no
special reason
for sending
this to you,
except that...
I was feeling
a little lonely,
and when I asked myself
what I seemed to be
missing the most,
the answer
turned out to be
...you.
I Miss You

Removal instructions:

- manual removal: delete file MSWINS0CK.EXE from Windows\System folder
and registry entry [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft auto update]
- automatic removal: let BitDefender delete files found infected.

Analyzed By

Patrik Vicol BitDefender Virus Researcher

Technical Description:

Once executed, the backdoor displays the text file with the message (see above) andcreates the file MSWINS0CK.EXE in Windows\System folder (or WinNT\System), which is also copied in the Windows\Temp folder under a randomly choosed name.
Next, the droped file is executed and the following registry entry is created, thus allowing the backdoor to start each time Windows starts:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"Microsoft auto update"="MSWINS0CK.EXE"
Once executed, the backdoor attempts to enter a password protected channel on some particular IRC servers, using a randomly choosen nick. Once there, waits for an
attacker to join this channel and issue commands on the victim's computer.