Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:BDS/DWing
Date discovered:13/12/2012
Type:Backdoor Server
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:13.805 Bytes
MD5 checksum:CF0C1354D79FBA0E883A8142A3380D90
VDF version:7.11.53.216

 General Method of propagation:
   • No own spreading routine


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Registry modification
   • Third party control

 Files It copies itself to the following location:
   • %SYSDIR%\sðîîl32.exe

 Registry The following registry key is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "spoolsv"="%SYSDIR%\sðîîl32.exe"

 IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: www.berk**********.ru
Port: 2222
Server password: WD22dq2QWd
Channel: #bots
Nickname: %random character string%

Server: www.berk**********.ru
Port: 2222
Server password: WD22dq2QWd
Channel: #`bots
Nickname: %random character string%


– Furthermore it has the ability to perform actions such as:
    • connect to IRC server
    • disconnect from IRC server
    • Download file
    • Execute file
    • Join IRC channel
    • Leave IRC channel
    • Perform DDoS attack

 Backdoor Contact server:
The following:
   • http://m0dix.**********.ru/cgi-bin/notify.php

As a result remote control capability is provided. This is done via the HTTP GET request on a PHP script.


Remote control capabilities:
    • Download file
    • Execute file
    • Perform DDoS attack

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Andrei Gherman on Tuesday, December 20, 2005
Description updated by Andrei Gherman on Tuesday, December 27, 2005

Back . . . .