Home / malware Backdoor:Win32/Sdbot.S
First posted on 15 February 2020.
Source: MicrosoftAliases :
Backdoor:Win32/Sdbot.S is also known as BKDR_SDBOT.BN, Backdoor.Win32.SdBot.05.s, W32/Sdbot-Gen, Backdoor.Sdbot.
Explanation :
Backdoor:Win32/Sdbot.S is a member of Win32/Sdbot - a large family of IRC-controlled backdoors that allow unauthorized access and control of an affected computer. Using this backdoor, an attacker can perform a large number of different actions on an affected computer, including downloading and executing arbitrary files, stealing sensitive information and spreading to other computers using various methods. Installation When executed, Backdoor:Win32/Sdbot.S copies itself to
winbncpageviewer3.exe.
Note:refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:WinntSystem32; and for XP, Vista, and 7 is C:WindowsSystem32.
The malware modifies the following registry entries to ensure that its copy executes at each Windows start:
Adds value: "Microsoft Update"
With data: "winbncpageviewer3.exe"
To subkey: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun Payload Allows backdoor access and control Backdoor:Win32/Sdbot.S attempts to connect to an IRC server at huh.wha.la via TCP port 6667, join a channel and wait for commands. Using this backdoor, an attacker can perform a number of actions on an affected computer. For example, an attacker may be able to perform the following actions:
Download and execute arbitrary files Upload files Spread to other computers using various methods of propagation Log keystrokes or steal sensitive data Modify system settings Run or terminate applications Delete files
This malware description was produced and published using our automated analysis system's examination of file SHA1 175c2128b46741f7efceb230e08a270a3227d3ad.Last update 15 February 2020