Home / malware Backdoor:W32/SdBot
First posted on 15 July 2010.
Source: SecurityHomeAliases :
There are no other names known for Backdoor:W32/SdBot.
Explanation :
A remote administration utility which bypasses normal security mechanisms to secretly control a program, computer or network.
Additional DetailsBackdoor:W32/SdBot comprises a large family of remote access utilities known to be used by hackers to gain unauthorized control of a user's computer system.
Variants in the SdBot family include:
€ Backdoor:W32/SdBot.AAY € Backdoor:W32/SdBot.MB € Backdoor:W32/SdBot.CKN
Installation
Depending on the variant, SdBot backdoors copy themselves either to the Windows System directory, or to other directories located in the System directory. It also ensures the copy is started when the system stars by creating a subkey in one of the following registry keys:
€ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices € HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
The name of subkey and its value differ depending on the variant.
Activity
SdBot backdoors connect to various IRC servers, joining an IRC channel (the choice of channel is hardcoded into the code) in order to receive instruction from the attacker(s). The backdoor can perform a variety of actions, including acting as an IRC proxy server, downloading and executing remote files, sending messages and more.Last update 15 July 2010