Backdoor:Win32/Sdbot.SO is a member of
Win32/Sdbot - a large family of IRC-controlled backdoors that allow unauthorized access and control of an affected computer. Using this backdoor, an attacker can perform a large number of different actions on an affected computer, including downloading and executing arbitrary files, stealing sensitive information and spreading to other computers using various methods.
Installation
When executed, Backdoor:Win32/Sdbot.SO copies itself to the following locations:
- <system folder>\antivirus.exe
- <system folder>\kazaabackupfiles\counterstrike cd crack keygen does all versions works great counter strike.exewindows xp activation crack and keygen does all versions great.exe
- <system folder>\kazaabackupfiles\doom3 crack no cd and cd keygen doom 3 that works.exe
- <system folder>\kazaabackupfiles\half life 2 crack hl2 no cd and cd keygen halflife2.exe
- <system folder>\kazaabackupfiles\mcafee crack does all versions.exe
- <system folder>\kazaabackupfiles\microsoft office msoffice crack keygen does all versions.exe
- <system folder>\kazaabackupfiles\need for speed underground 2 crack no cd and keygen great nfsu2 nfsu 2.exe
- <system folder>\kazaabackupfiles\nero crack keygen does all versions.exe
- <system folder>\kazaabackupfiles\norton crack does all versions.exe
- <system folder>\kazaabackupfiles\railroad tycoon 3 crack no cd and cd keygen that works.exe
- <system folder>\kazaabackupfiles\rollercoaster tycoon 3 crack no cd and cd keygen that works.exe
- <system folder>\kazaabackupfiles\sims 2 crack no cd and cd keygen sims2 that works.exe
Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
The malware modifies the following registry entries to ensure that its copy executes at each Windows start:
Adds value: "antivirus32"
With data: "antivirus.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
The malware creates the following files on an affected computer:
Payload
Allows backdoor access and control
Backdoor:Win32/Sdbot.SO attempts to connect to an IRC server at antivirus32.windows32.com via TCP port 4564, join a channel and wait for commands. Using this backdoor, an attacker can perform a number of actions on an affected computer. For example, an attacker may be able to perform the following actions:
- Download and execute arbitrary files
- Upload files
- Spread to other computers using various methods of propagation
- Log keystrokes or steal sensitive data
- Modify system settings
- Run or terminate applications
- Delete files
This malware description was produced and published using our automated analysis system's examination of file SHA1 e5c3871e8bcf74e4cd6ad97b36b81faad4bf9676.
