Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


Backdoor:W32/SdBot


Aliases:


Backdoor:W32/SdBot

Malware
Backdoor
W32

Summary

A remote administration utility which bypasses normal security mechanisms to secretly control a program, computer or network.



Disinfection & Removal


Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.


Eliminating a Local Network Outbreak

If the infection is in a local network, please follow the instructions on this webpage:



Technical Details

Backdoor:W32/SdBot comprises a large family of remote access utilities known to be used by hackers to gain unauthorized control of a user's computer system.

Variants in the SdBot family include:


Installation

Depending on the variant, SdBot backdoors copy themselves either to the Windows System directory, or to other directories located in the System directory. It also ensures the copy is started when the system stars by creating a subkey in one of the following registry keys:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

The name of subkey and its value differ depending on the variant.


Activity

SdBot backdoors connect to various IRC servers, joining an IRC channel (the choice of channel is hardcoded into the code) in order to receive instruction from the attacker(s). The backdoor can perform a variety of actions, including acting as an IRC proxy server, downloading and executing remote files, sending messages and more.







Submit a sample




Wondering if a file or URL is malicious? Submit a sample to our Lab for analysis via the Sample Analysis System (SAS)

Give And Get Advice




Give advice. Get advice. Share the knowledge on our free discussion forum.

Scan and clean your PC




F-Secure Online Scanner will scan and clean your PC in just a few minutes for free