Threat Description

Backdoor:​W32/SdBot.CNJ

Details

Aliases: Backdoor:​W32/SdBot.CNJ, Trojan.Win32.Agent.asdj
Category: Malware
Type: Backdoor
Platform: W32

Summary



Backdoor:W32/SdBot.CNJ is a piece of malicious software that tries to disable various firewalls and antivirus programs, steal passwords from the infected machine and spread through removable media devices.



Removal



Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details



Process Changes

Creates these processes:

  • %cwd%\[filename].exe
  • %programfiles%\Internet
  • Explorer\IEXPLORE.EXE/[filename]

Creates these mutexes:

  • Y_aKS~pXq1MKTN4PE

Network Connections

Attempts to connect with HTTP to:

  • Web1.(censored)[removed].org:443/TCP

Registry Modifications

Sets these values:

  • HKCU\Software\Microsoft\Windows NT\CurrentVersion (default) = h1Ucm{yQvor}^imlol|Pxhc|en isl
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run QnX = c:\(path)\[filename].(filename)exe
  • HKLM\SOFTWARE\Microsoft\Active Setup\Installed
  • Components\{77520Q86-864L-N81R-0R2W-7U2G0P22436U} StubPath = "c:\(path)\.(filename)exe"
  • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run QnX =c:\(path)\.(filename)exe

Creates these keys:

  • HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{77520Q86-864L-N81R-0R2W-7U2G0P22436U}





SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Scan & clean your PC

F-Secure Online Scanner will scan and clean your PC in just a few minutes for free

Learn More