Backdoor.Sadhound.A( Backdoor.Welkom (Kaspersky) Troj/SadHound-A (Sophos), Multidropper-CE (McAfee), TROJ_SADHOUND.A (Trend) )
SYMPTOMS: - The file MSWINS0CK.EXE (7,200 bytes) in %SysDir% (Windows\System folder in Windows 9x systems or WinNT\System folder on WinNT based systems)- A text file (that the backdoor runs so the victim may see it) in Windows\Temp folder containing the text: There's no special reason for sending this to you, except that... I was feeling a little lonely, and when I asked myself what I seemed to be missing the most, the answer turned out to be ...you. I Miss You TECHNICAL DESCRIPTION: Once executed, the backdoor displays the text file with the message (see above) andcreates the file MSWINS0CK.EXE in Windows\System folder (or WinNT\System), which is also copied in the Windows\Temp folder under a randomly choosed name.Next, the droped file is executed and the following registry entry is created, thus allowing the backdoor to start each time Windows starts: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "Microsoft auto update"="MSWINS0CK.EXE" Once executed, the backdoor attempts to enter a password protected channel on some particular IRC servers, using a randomly choosen nick. Once there, waits for an attacker to join this channel and issue commands on the victim's computer. Removal instructions: - manual removal: delete file MSWINS0CK.EXE from Windows\System folderand registry entry [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft auto update] - automatic removal: let BitDefender delete files found infected. ANALYZED BY: Patrik Vicol BitDefender Virus Researcher |
