Home / malware Backdoor:W32/SdBot.CKN
First posted on 25 June 2008.
Source: SecurityHomeAliases :
There are no other names known for Backdoor:W32/SdBot.CKN.
Explanation :
Backdoor:W32/SdBot.CKN is a backdoor trojan. Backdoors are programs that allow remote attackers access to the infected machine to compromise data and send additional commands.
right]After the backdoor's file is run, it checks for the existence of Virtual Machines (VM) and immediately exits if any VM environment such as VMware is detected.
The backdoor decrypts its code and injects it into the explorer.exe process. During its startup phase, it creates a file, ise32.exe and a mutex called "asd-6+094997__".
Once active, the backdoor attempts to connect to the following remote IRC server on TCP port 81:
- [Removed].xn--mg-kka.com
The backdoor generates a random nickname and joins a password-protected channel, #ohai, and waits for commands from a channel operator. A remote hacker who is controlling the backdoor can do any of the following:
- Update the backdoor's file from the Internet
- Perform an SYN flood
- Perform a Distributed Denial of Service (DDoS) attack
Last update 25 June 2008