Backdoor:Win32/Sdbot.OT is a member of
Win32/Sdbot - a large family of IRC-controlled backdoors that allow unauthorized access and control of an affected computer. Using this backdoor, an attacker can perform a large number of different actions on an affected computer, including downloading and executing arbitrary files, stealing sensitive information and spreading to other computers using various methods.
Installation
When executed, Backdoor:Win32/Sdbot.OT copies itself to <system folder>\wdgmr32.exe.
Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
The malware modifies the following registry entries to ensure that its copy executes at each Windows start:
Adds value: "Microsoft MicroP Protocol"
With data: "wdgmr32.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adds value: "Microsoft MicroP Protocol"
With data: "wdgmr32.exe"
To subkey: HKCU\Software\Microsoft\windows\currentversion\run
Payload
Terminates processes
Backdoor:Win32/Sdbot.OT terminates the following processes should they be running on an affected computer:
- NAVW32.exe
- PandaAVEngine.exe
Modifies system settings
The malware modifies the affected computer system's settings by making the following changes to the registry:
- The malware stops or blocks all DCOM (Distributed Component Object Model) traffic, so that the affected computer is unable to contact DCOM servers, and remote clients are unable to launch servers or connect to objects on that affected computer. It does this by making the following registry modification:
Adds value: "EnableDCOM"
With data: "n"
To subkey: HKLM\SOFTWARE\Microsoft\Ole
Note: This modification may be made to stop the affected computer from being further compromised by a different attacker.
Allows backdoor access and control
The malware attempts to connect to an IRC server at natoownz.server.us via TCP port 7777, join a channel and wait for commands. Using this backdoor, an attacker can perform a number of actions on an affected computer. For example, an attacker may be able to perform the following actions:
- Download and execute arbitrary files
- Upload files
- Spread to other computers using various methods of propagation
- Log keystrokes or steal sensitive data
- Modify system settings
- Run or terminate applications
- Delete files
This malware description was produced and published using our automated analysis system's examination of file SHA1 E5B048987FC8FAC9539511F60731B4C397B85C6D.
