| Port No | 1043 |
| Service Name | BKDR_DOSH |
| RFC Doc | 0 |
| Protocol | TCP |
| Description | Upon execution, this backdoor program drops a copy of itself as OCE32.WDEP in the Windows system folder.
It creates several registry entries so that all files with the extension .WDEP are treated as executables. It creates another registry entry to ensure that it automatically runs at every system startup. It attempts to access a personal homepage found on www.geocities.com. This routine appears to be a means to notify a remote user that a system has been compromised. However, as of this writing, the said homepage no longer exists. It also creates the folder ETC in the Windows system folder, where it stores the files that it downloads from another Web site. This download routine looks like a means to update the backdoor program. However, as of this writing, the file that it attempts to download no longer exists. It is designed to open a random port on the compromised machine and waits for commands from a remote user. However, due to some bugs in its code, this backdoor routine does not execute successfully. This backdoor program runs on Windows 95, 98, ME, NT, 2000, and XP. |
| Reference Link | BKDR_DOSH |
| Attack | Solution: Terminating the Malware Program This procedure terminates the running malware process. Open Windows Task Manager. » On Windows 95, 98, and ME, press CTRL+ALT+DELETE » On Windows NT, 2000, and XP, press CTRL+SHIFT+ESC, then click the Processes tab. In the list of running programs*, locate the process: oce32.wdep Select the malware process, then press either the End Task or the End Process button, depending on the version of Windows on your system. To check if the malware process has been terminated, close Task Manager, and then open it again. Close Task Manager. *NOTE: On systems running Windows 95, 98, and ME, Windows Task Manager may not show certain processes. You can use a third party process viewer such as Process Explorer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions. |
Catch threats immediately
We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.