Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » SDBot

Overview

Threat Risk LOW LOW
Destructivity NONE NONE
Payload Backdoor/DoS
Detection files published
Description created 22 Apr 2004 05:22:00
Description updated 22 Apr 2004 05:22:00
Malware type WORM
Alias
Spreading mechanism NETWORK
Summary None

SDBot

Spreading

When an SDBot is executed it will copy itself to the %SYSTEM% directory and create a registry value in either or both of the following registry keys to ensure it is started with Windows: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce A selection of filenames used by SDBots are: dosnet.exe (W32/SDBot.JN) wupdated.exe (W32/SDBot.JP) winsys32.exe (W32/SDBot.JQ) msserv.exe (W32/SDBot.JS) comport.exe (W32/SDBot.JT) lmss.exe (W32/SDBot.JU) AntiVirus32.exe (W32/SDBot.JV) msgfix.exe (W32/SDBot.JX & .QF) win32server.exe (W32/SDBot.JY) pown.exe (W32/SDBot.KF) intcp32.exe (W32/SDBot.KK) iexplore.exe (W32/SDBot.KL) MSNHome.exe (W32/SDBot.KM) mgnwin32.exe (W32/SDBot.KN) vbxpl.exe (W32/SDBot.KO) mrvdwwx.exe (W32/SDBot.KP) iexplorers.exe (W32/SDBot.KQ) SpoolServ.exe (W32/SDBot.KS) winboot32.exe (W32/SDBot.QC) winlord32.exe (W32/SDBot.QD) symantec32.exe (W32/SDBot.QE) MSCFG.exe (W32/SDBot_based) netcfg32.exe (W32/SDBot_based) I1Eexplore.exe (W32/SDBot_based) iEEexplore.exe (W32/SDBot_based) ms32sys.exe (W32/SDBot_based) wsock32p.exe (W32/SDBot_based) A selection of registry values used by SDBots are: Dos Mode (W32/SDBot.JN) Configuration Loaded (W32/SDBot.JP) Configuration Loader (W32/SDBot.JQ) Microsoft Service (W32/SDBot.JS) Microsoft Com Port Manager (W32/SDBot.JT) load (W32/SDBot.JU) Windows Anti-Virus Built 32 (W32/SDBot.JV) configuration loader (W32/SDBot.JW) Configuration Loader (W32/SDBot.JX & .QF) Winsock32driver (W32/SDBot.JY) Microsoftx (W32/SDBot.KF) Threaded (W32/SDBot.KK) Configuration Loader (W32/SDBot.KL) MSN Home Page (W32/SDBot.KM) RandomWin32 (W32/SDBot.KN) Configurations Loader (W32/SDBot.KO) MyICQN (W32/SDBot.KP) iexplorers loader (W32/SDBot.KQ) Microsoft DirectX (W32/SDBot.KS) Win32 Boot System (W32/SDBot.QC) Windows Lord Anti-Virus (W32/SDBot.QD) Symantec Security (W32/SDBot.QE) Microsoft Configuration (W32/SDBot_based) Network Card Driver Loader (W32/SDBot_based) Config Loadatorin (W32/SDBot_based) Config Loadation (W32/SDBot_based) systemdrv (W32/SDBot_based) WSock32 Protocol (W32/SDBot_based) SDBots spread via network shares by brute forcing weak passwords if possible. When successful in copying itself to a remote share an SDBot will schedule a network task to infected the machine.

Payload Details

SDBots contain a backdoor element that will join an IRC channel and wait for commands. They usually connect to an IRC sever using a high port number. Depending on what command an SDBot receives it may perform one of the following tasks: Perform a DoS attack using SYN floods, UDP packets or ping of death. Update itself. Send CPU details, memory statistics or running thread information to the attacker. Join another IRC channel, change its NICK or logout of the channel. Download or upload files. Launch executables. Scan the network and infect NT based machines. SDBots also attempt to terminate running processes associated with anti-virus/firewall software.

Analysis

n/a

Removal

Lumension currently detects hundreds of SDBot variants, whilst Lumension Sandbox detects the majority of new SDBots as W32/Malware.


Last Updated: 12 Nov 2015 11:06:15