Wisdoor represents a family of backdoors. They allow the remote control of a victim's computer by sending specific commands via IRC channels. Also, these backdoors can steal data and spread to computers vulnerable to exploits.
Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.
The Windoor.N file is a PE executable about 20 kilobytes long, packed with ASPACK file compressor.
When the Windoor.N file is started, it copies itself as a file named "windll.exe" to the Windows folder and then creates the following startup key value in the Registry:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "windll" = "%WINDIR%\windll.exe"
When the Backdoor is active, it connects to an IRC server, joins a certain channel and acts as a bot there.
The following IRC server and port is used by the Backdoor:
The backdoor joins the following IRC channel:
A hacker can send commands to the bots to and control infected computers. Several tasks can be performed, including the following:
- Start HTTP server
- Perform ping, SYN, ICMP and UDP flood
- Get system information including information about OS, network and drives
- Download and execute files
- Log keystrokes
- Capture video using webcam
- Send and receive files
- Scan and exploit computers vulnerable to exploits
When spreading, the bot can exploit the following vulnerabilities:
- IIS port 80 using 'Web Server Folder Traversal' Vulnerability (MS00-078)
- MSSQL port 1443, trying to get access using blank SA account password