McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Backdoor.Sadhound (Symantec)

• TROJ_SADHOUND.A (Trend)

Characteristics

This threat has a risk assessment of Low-Profiled due to the article: Trojan writers exploit Outlook to get around content filtering

This threat is detected as MultiDropper-CE with the 4245 DATs. This trojan drops (or extracts and saves to disk) a text file and an executable (detected as IRC-Sdbot with the 4245 DAT files). The MultiDropper trojan was spammed to a large number of email addresses with the following information:

Subject: I Miss You
Body: I Miss You…
Attachments:

• bloodss.jpg
• bgg.jpg
• Missingyou.htm.%Number of spaces%pif.htm

The message contains an image of a "sad" hound.

The .htm.pif.htm file exploits a Microsoft Outlook Express vulnerability that makes the file appear as though it is an HTML document, when in fact it is an executable file. When run, the trojan creates the following files:

• WINDOWS\SYSTEM (%SysDir%) MSWINS0CK.EXE (7,200 bytes)
• %TEMP%\%RandomName%.txt

The text file contains the following text:

There's no
special reason
for sending
this to you,
except that...

I was feeling
a little lonely,
and when I asked myself
what I seemed to be
    missing the most,
the answer
turned out to be     ...you.


I Miss You

The exe file is run, which creates the following registry key:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  Run "Microsoft auto update" = MSWINS0CK.EXE

Symptoms

Presence of the IRC-Sdbot trojan and the aforementioned text file.

Method of Infection

Trojans do not self-replicate. This particular trojan was SPAMMED to a large number of email addresses.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Backdoor.Sadhound (Symantec)

• TROJ_SADHOUND.A (Trend)

Characteristics

Characteristics -

This threat has a risk assessment of Low-Profiled due to the article: Trojan writers exploit Outlook to get around content filtering

This threat is detected as MultiDropper-CE with the 4245 DATs. This trojan drops (or extracts and saves to disk) a text file and an executable (detected as IRC-Sdbot with the 4245 DAT files). The MultiDropper trojan was spammed to a large number of email addresses with the following information:

Subject: I Miss You
Body: I Miss You…
Attachments:

• bloodss.jpg
• bgg.jpg
• Missingyou.htm.%Number of spaces%pif.htm

The message contains an image of a "sad" hound.

The .htm.pif.htm file exploits a Microsoft Outlook Express vulnerability that makes the file appear as though it is an HTML document, when in fact it is an executable file. When run, the trojan creates the following files:

• WINDOWS\SYSTEM (%SysDir%) MSWINS0CK.EXE (7,200 bytes)
• %TEMP%\%RandomName%.txt

The text file contains the following text:

There's no
special reason
for sending
this to you,
except that...

I was feeling
a little lonely,
and when I asked myself
what I seemed to be
    missing the most,
the answer
turned out to be     ...you.


I Miss You

The exe file is run, which creates the following registry key:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  Run "Microsoft auto update" = MSWINS0CK.EXE

Symptoms

Symptoms -

Presence of the IRC-Sdbot trojan and the aforementioned text file.

Method of Infection

Method of Infection -

Trojans do not self-replicate. This particular trojan was SPAMMED to a large number of email addresses.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A