Backdoor:Win32/Sdbot.SR is a member of
Win32/Sdbot - a large family of IRC-controlled backdoors that allow unauthorized access and control of an affected computer. Using this backdoor, an attacker can perform a large number of different actions on an affected computer, including downloading and executing arbitrary files, stealing sensitive information and spreading to other computers using various methods.
Installation
When executed, Backdoor:Win32/Sdbot.SR copies itself to <system folder>\svcsen.exe.
Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
The malware modifies the following registry entries to ensure that its copy executes at each Windows start:
Adds value: "System Services"
With data: "svcsen.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adds value: "System Services"
With data: "svcsen.exe"
To subkey: HKCU\Software\Microsoft\windows\currentversion\run
Payload
Modifies system settings
Backdoor:Win32/Sdbot.SR modifies the affected computer system's settings by making the following changes to the registry:
- The malware stops or blocks all DCOM (Distributed Component Object Model) traffic, so that the affected computer is unable to contact DCOM servers, and remote clients are unable to launch servers or connect to objects on that affected computer. It does this by making the following registry modification:
Adds value: "EnableDCOM"
With data: "n"
To subkey: HKLM\SOFTWARE\Microsoft\Ole
Note: This modification may be made to stop the affected computer from being further compromised by a different attacker.
Allows backdoor access and control
The malware allows unauthorized access and control of an affected computer. An attacker can perform any number of different actions on an affected computer using Backdoor:Win32/Sdbot.SR. This could include, but is not limited to, the following actions:
- Download and execute arbitrary files
- Upload files
- Spread to other computers using various methods of propagation
- Log keystrokes or steal sensitive data
- Modify system settings
- Run or terminate applications
- Delete files
This malware description was produced and published using our automated analysis system's examination of file SHA1 0f1c6f54938e0aa97b0fdc843419aa5cafde3837.
