1. Skip to navigation
  2. Skip to content
  3. Skip to secondary-content

Where You Are

  1. Home
  2. Security
  3. Security Lab
  4. Latest Threats
  5. Virus Descriptions
  6. Backdoor:W32/SdBot.CKF

Backdoor:W32/SdBot.CKF

Name : Backdoor:W32/SdBot.CKF
Detection Names : Backdoor.Win32.SdBot.ebp
Category:Malware
Type:Backdoor
Platform:W32

Summary

Backdoor:W32/SdBot.CKF is a backdoor. Backdoors are remote administration utilities that open infected machines to external control via the Internet or a local network.

Upon execution, SdBot.CKF will attempt to connect to an IRC server and tries to download additional malware to the infected machine.

Additional Details

Upon execution, SdBot.CKF will create a copy of itself in the following location:

  • %windir%\winudspm.exe

It creates the following registry entry to automatically start with Windows:

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows UDP Control = winudspm.exe

Once the backdoor is active, it connects to an IRC server, joins a certain channel and acts as a bot.

The backdoor will try to contact the following IRC server:

  • irc.bluehell.org
  • 221.6.6.232

Then it joins the following channels:

  • #blockbot2
  • #blockbot.msn

The malware attempts to download from the following locations:

  • http://mitglied.lycos.de/cheatsguard/dci.exe
  • http://mitglied.lycos.de/cheatsguard/is154890.exe
  • http://mitglied.lycos.de/subzz/setup.exe

The files are detected as follows:

  • dci.exe - Backdoor:W32/Rbot.GLP
  • is154890 - Trojan-Downloader.Win32.Agent.rcl
  • setup.exe - Backdoor:W32/IRCBot.GNS

Here are more commands used by the bot:

  • aim.stop
  • download
  • gone
  • l
  • lo
  • login
  • logout
  • msn.stop
  • r.getfile
  • r.new
  • r.upd4te
  • r.update
  • rm
  • rmzerm3b1tch
  • triton.stop
  • update

Furthermore, another sign of infection from this malware is an outbound connection to http.xn--mg-kka.com.