Backdoor:Win32/Sdbot

When Win32/Sdbot runs, it copies itself to %windir% or <system folder>. In many cases, it adds a value to one or more registry keys. These changes cause the Trojan to run whenever Windows starts. Some variants also add a Windows system service to attain similar results.

 

Win32/Sdbot connects to an internet relay chat (IRC) server and joins a channel to receive commands, which can include actions such as:

 

Upon receiving IRC commands, the Trojan can spread to remote computers by exploiting one or more Windows vulnerabilities. Win32/Sdbot can spread to remote computers by trying weak passwords that it draws from a fixed list. The Trojan may exploit the MS03-026 vulnerability to create a remote shell on a computer. The Trojan uses the remote shell to copy and run itself on a remote computer. The Trojan can also be instructed through IRC commands to spread through backdoor ports opened by Mydoom, Bagle, Optix, Netdevil, and other malicious software families.

 

Some variants of the Trojan terminate security-related products. Later variants of the Trojan can install a kernel-mode rootkit driver, which hides the Trojan process from Task Manager and other process-viewer applications.