Threat Description



Category: Malware
Type: Backdoor
Platform: W32
Aliases: Backdoor.Win32.Wisdoor.N


Wisdoor represents a family of backdoors. They allow the remote control of a victim's computer by sending specific commands via IRC channels. Also, these backdoors can steal data and spread to computers vulnerable to exploits.


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More scanning & removal options

More information on scanning or removal options is available in the documentation for your F-Secure security product on the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

For further assistance, F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.

Technical Details

The Windoor.N file is a PE executable about 20 kilobytes long, packed with ASPACK file compressor.

When the Windoor.N file is started, it copies itself as a file named "windll.exe" to the Windows folder and then creates the following startup key value in the Registry:

  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "windll" = "%WINDIR%\windll.exe"

When the Backdoor is active, it connects to an IRC server, joins a certain channel and acts as a bot there.

The following IRC server and port is used by the Backdoor:


The backdoor joins the following IRC channel:

  • #at

A hacker can send commands to the bots to and control infected computers. Several tasks can be performed, including the following:

  • Start HTTP server
  • Perform ping, SYN, ICMP and UDP flood
  • Get system information including information about OS, network and drives
  • Download and execute files
  • Log keystrokes
  • Capture video using webcam
  • Send and receive files
  • Scan and exploit computers vulnerable to exploits

When spreading, the bot can exploit the following vulnerabilities:

  • IIS port 80 using 'Web Server Folder Traversal' Vulnerability (MS00-078)
  • MSSQL port 1443, trying to get access using blank SA account password


Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More