1. Skip to navigation
  2. Skip to content
  3. Skip to secondary-content

Where You Are

  1. Labs
  2. Threats
  3. Virus and threat descriptions
  4. Backdoor.Win32.Wisdoor.N

Backdoor.Win32.Wisdoor.N

Name : Backdoor.Win32.Wisdoor.N
Category:Malware
Type:Backdoor
Platform:W32

Summary

Wisdoor represents a family of backdoors. They allow the remote control of a victim's computer by sending specific commands via IRC channels. Also, these backdoors can steal data and spread to computers vulnerable to exploits.

Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.

Additional Details

The Windoor.N file is a PE executable about 20 kilobytes long, packed with ASPACK file compressor.

When the Windoor.N file is started, it copies itself as a file named "windll.exe" to the Windows folder and then creates the following startup key value in the Registry:

  •   [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "windll" = "%WINDIR%\windll.exe"

When the Backdoor is active, it connects to an IRC server, joins a certain channel and acts as a bot there.

The following IRC server and port is used by the Backdoor:

  •   web.dardana.info:3926

The backdoor joins the following IRC channel:

  •   #at

A hacker can send commands to the bots to and control infected computers. Several tasks can be performed, including the following:

  •  Start HTTP server
  • Perform ping, SYN, ICMP and UDP flood
  • Get system information including information about OS, network and drives
  • Download and execute files
  • Log keystrokes
  • Capture video using webcam
  • Send and receive files
  • Scan and exploit computers vulnerable to exploits

When spreading, the bot can exploit the following vulnerabilities:

  •  IIS port 80 using 'Web Server Folder Traversal' Vulnerability (MS00-078)
  • MSSQL port 1443, trying to get access using blank SA account password