Home / malwarePDF  

Backdoor.SDBot.DGFE


First posted on 21 November 2011.
Source: BitDefender

Aliases :

Backdoor.SDBot.DGFE is also known as OneCare:, Worm:Win32/Pushbot.gen Symantec:, Backdoor.Sdbot FProt:, W32/Backdoor2.DCKA.

Explanation :

This backdoor comes with an icon identical to that of an image; when executed, it will display a message-box, saying that "The picture cannot be displayed". It will then install itself on the system, by creating a new copy inside %system%wauclt.exe, and registering it at startup by adding the following registry value: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunGeneric Host. The main executable is packed and is 634880 Bytes in length.

Once installed, it will connect to an IRC channel and will start listening to commands that a remote attacker may send. Tasks it can perform depending on these commands are:

- spread using MSN
- update itself, by downloading new variants
- download and execute other files sent by the attacker
- edit files on the attacked computer
- retrieve various information about the local machine, as IP address, host name, OS version, IM client used, active processes or active threads

The malware has a self-protection mechanism ; in order to avoid triggering to much attention, it may disable himself for a certain amount of time; The following messages will be sent to the attacker: "!!!Security!!!. Lamer detected. coming back in 24hrs, download and update disabled." or "!!!Security!!!. Lamer detected. coming back next reboot, cya.".

The malware will keep the attacker informed regarding any action it takes, by sending detailed information about the malicious tasks it performs.

Last update 21 November 2011

 

TOP