Home / malware Backdoor.Sadhound.A
First posted on 21 November 2011.
Source: BitDefenderAliases :
Backdoor.Sadhound.A is also known as Backdoor.Welkom, (Kaspersky.
Explanation :
Once executed, the backdoor displays the text file with the message (see above) andcreates the file MSWINS0CK.EXE in WindowsSystem folder (or WinNTSystem), which is also copied in the WindowsTemp folder under a randomly choosed name.
Next, the droped file is executed and the following registry entry is created, thus allowing the backdoor to start each time Windows starts:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
"Microsoft auto update"="MSWINS0CK.EXE"
Once executed, the backdoor attempts to enter a password protected channel on some particular IRC servers, using a randomly choosen nick. Once there, waits for an
attacker to join this channel and issue commands on the victim's computer.Last update 21 November 2011