New Virus Warning: W32/Sadhound.A

[CalamityJane]

Just got this in a e-mail from Message Labs.

General

The details of the new virus are as follows:

Virus name: W32/Sadhound.A
Number of copies seen so far: 2,704
Date first Captured: 25th Jan 2003
Origin of first intercepted copy: Netherlands
Number of countries seen active: 1
Most active countries: Netherlands

Technical Details

On 25th January 2003, MessageLabs intercepted the first copies of a new virus called W32/Sadhound.A. To date, all of the copies that we have thus far stopped all originated from the same IP address in the Netherlands. Therefore, at this time, we are unsure as to whether this is a seeding of a trojan, broken malware, or a mass-mailer.

Initial analysis suggests this is a dropper-program, depositing a mass-mailer with a backdoor and a mIRC component; however, this has yet to be confirmed.

From the copies that MessageLabs have intercepted, the email may be composed as follows:

Subject:

I Miss You

The email body contains the following text:

I Miss You…

Attachment file names include:

Bloods.jpg (11,507) – a picture of a sad-looking bloodhound,
hence the name

bgg.jpg (2,680) – a background image

Missingyou.htm .pf.htm – or Missingyou.pif (11,296) since the name
and filename are different in the MIME header.

Detection

Skeptic™ detected W32/Sadhound.A heuristically.

 

[$teve]

bump

 

[CalamityJane]

UPDATE!

According to McAfee AVERT

McAfee AVERT
-- Update January 27, 2003 --
A new variant of this trojan was recently spammed to many email addresses. This variant requires the 4245 DAT files for detection and removal. Some vendors have labeled this variant as "Sadhound"

Details here:
»vil.nai.com/vil/content/v_99958.htm[?]
--
Symantec Security Response - Backdoor.Sadhound
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.sadhound.html

Backdoor.Sadhound
Discovered on: January 30, 2003

Backdoor.Sadhound is a backdoor Trojan that creates the file, %System%\Mswins0ck.exe. This file performs unauthorized actions on the infected computer.

Symantec has received reports that many users are receiving spam with this Trojan. This Trojan does not have the ability to spread itself.

NOTE: Virus definitions dated prior to January 31, 2003 may detect this as Trojan dropper or Backdoor.Trojan.

Also Known As: Troj/SadHound-A [Sophos], Multidropper-CE [McAfee], TROJ_SADHOUND.A [Trend], Sadhound [F-Secure]
Type: Trojan Horse
Infection Length: 7,200 bytes, 11,296 bytes(dropper)
Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
Systems Not Affected: Macintosh, OS/2, UNIX, Linux

--
Trend Micro - TROJ_SADHOUND.A
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?
VName=TROJ_SADHOUND.A

TROJ_SADHOUND.A
Description:

This backdoor is an Internet Relay Chat (IRC) Bot that is dropped and executed by TROJ_SADHOUND.A on affected systems.

It connects to a specific Internet Relay Chat (IRC) server and joins an affected system to a channel there. Upon connection, it enables remote users to launch Denial of Service (DoS) attacks on other systems. Remote users also use it to execute the following on affected systems

View system information

Upload and execute a file

This malware runs on Windows 95, 98, NT, 2000, ME, and XP systems.

--
Sophos
Troj/SadHound-A
http://www.sophos.com/virusinfo/analyses/trojsadhounda.html
--
RAV added this to the latest dectections:
Sadhound.A(3)
http://www.ravantivirus.com/pages/dldupdate.php?type=Daily