New Virus Warning: W32/Sadhound.A

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

CalamityJane

Thread Starter
Joined
Jan 23, 2003
Messages
9
Just got this in a e-mail from Message Labs.


General

The details of the new virus are as follows:

Virus name: W32/Sadhound.A
Number of copies seen so far: 2,704
Date first Captured: 25th Jan 2003
Origin of first intercepted copy: Netherlands
Number of countries seen active: 1
Most active countries: Netherlands

Technical Details

On 25th January 2003, MessageLabs intercepted the first copies of a new virus called W32/Sadhound.A. To date, all of the copies that we have thus far stopped all originated from the same IP address in the Netherlands. Therefore, at this time, we are unsure as to whether this is a seeding of a trojan, broken malware, or a mass-mailer.

Initial analysis suggests this is a dropper-program, depositing a mass-mailer with a backdoor and a mIRC component; however, this has yet to be confirmed.

From the copies that MessageLabs have intercepted, the email may be composed as follows:

Subject:

I Miss You

The email body contains the following text:

I Miss You…

Attachment file names include:

Bloods.jpg (11,507) – a picture of a sad-looking bloodhound,
hence the name

bgg.jpg (2,680) – a background image

Missingyou.htm .pf.htm – or Missingyou.pif (11,296) since the name
and filename are different in the MIME header.

Detection

Skeptic™ detected W32/Sadhound.A heuristically.
 

CalamityJane

Thread Starter
Joined
Jan 23, 2003
Messages
9
UPDATE!

According to McAfee AVERT
McAfee AVERT
-- Update January 27, 2003 --
A new variant of this trojan was recently spammed to many email addresses. This variant requires the 4245 DAT files for detection and removal. Some vendors have labeled this variant as "Sadhound"
Details here:
»vil.nai.com/vil/content/v_99958.htm[?]
--
Symantec Security Response - Backdoor.Sadhound
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.sadhound.html

Backdoor.Sadhound
Discovered on: January 30, 2003

Backdoor.Sadhound is a backdoor Trojan that creates the file, %System%\Mswins0ck.exe. This file performs unauthorized actions on the infected computer.

Symantec has received reports that many users are receiving spam with this Trojan. This Trojan does not have the ability to spread itself.

NOTE: Virus definitions dated prior to January 31, 2003 may detect this as Trojan dropper or Backdoor.Trojan.

Also Known As: Troj/SadHound-A [Sophos], Multidropper-CE [McAfee], TROJ_SADHOUND.A [Trend], Sadhound [F-Secure]
Type: Trojan Horse
Infection Length: 7,200 bytes, 11,296 bytes(dropper)
Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
Systems Not Affected: Macintosh, OS/2, UNIX, Linux
--
Trend Micro - TROJ_SADHOUND.A
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?
VName=TROJ_SADHOUND.A

TROJ_SADHOUND.A
Description:

This backdoor is an Internet Relay Chat (IRC) Bot that is dropped and executed by TROJ_SADHOUND.A on affected systems.

It connects to a specific Internet Relay Chat (IRC) server and joins an affected system to a channel there. Upon connection, it enables remote users to launch Denial of Service (DoS) attacks on other systems. Remote users also use it to execute the following on affected systems

View system information

Upload and execute a file

This malware runs on Windows 95, 98, NT, 2000, ME, and XP systems.
--
Sophos
Troj/SadHound-A
http://www.sophos.com/virusinfo/analyses/trojsadhounda.html
--
RAV added this to the latest dectections:
Sadhound.A(3)
http://www.ravantivirus.com/pages/dldupdate.php?type=Daily
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Top