11,296 bytes (dropper), 7,200 bytes
(Backdoor.Welkom (Kaspersky) Troj/SadHound-A (Sophos), Multidropper-CE (McAfee), TROJ_SADHOUND.A (Trend))
- The file MSWINS0CK.EXE (7,200 bytes) in %SysDir% (Windows\System folder in Windows 9x systems or WinNT\System folder on WinNT based systems)
- A text file (that the backdoor runs so the victim may see it) in Windows\Temp folder containing the text:
this to you,
I was feeling
a little lonely,
and when I asked myself
what I seemed to be
missing the most,
turned out to be
I Miss You
- manual removal: delete file MSWINS0CK.EXE from Windows\System folder
and registry entry [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft auto update]
- automatic removal: let BitDefender delete files found infected.
Patrik Vicol BitDefender Virus Researcher
Once executed, the backdoor displays the text file with the message (see above) andcreates the file MSWINS0CK.EXE in Windows\System folder (or WinNT\System), which is also copied in the Windows\Temp folder under a randomly choosed name.
Next, the droped file is executed and the following registry entry is created, thus allowing the backdoor to start each time Windows starts:
"Microsoft auto update"="MSWINS0CK.EXE"
Once executed, the backdoor attempts to enter a password protected channel on some particular IRC servers, using a randomly choosen nick. Once there, waits for an
attacker to join this channel and issue commands on the victim's computer.