1. Skip to navigation
  2. Skip to content
  3. Skip to secondary-content

Where You Are

  1. Labs
  2. Threats
  3. Virus and threat descriptions
  4. Backdoor:W32/SdBot.CNJ

Backdoor:W32/SdBot.CNJ

Name : Backdoor:W32/SdBot.CNJ
Detection Names : Backdoor:W32/SdBot.CNJ
Backdoor:W32/SdBot.CNJ
Trojan.Win32.Agent.asdj
Aliases : W32.Ackantta@mm (Symantec)
W32/Autorun-RI (Sophos)
W32/Xirtem@MM (McAfee)
VirTool:Win32/CeeInject.gen!K (Microsoft)
Category:Malware
Type:Backdoor
Platform:W32

Summary

Backdoor:W32/SdBot.CNJ is a piece of malicious software that tries to disable various firewalls and antivirus programs, steal passwords from the infected machine and spread through removable media devices

Details


Process Changes
Creates these processes:

%cwd%\.exe
%programfiles%\Internet Explorer\IEXPLORE.EXE

Creates these mutexes:

Y_aKS~pXq
1MKTN4PE


Network Connections
Attempts to connect with HTTP to:

web1.(censored).org:443/TCP


Registry Modifications
Sets these values:

HKCU\Software\Microsoft\Windows NT\CurrentVersion (default) = h1Ucm{yQvor}^imlol|Pxhc|en isl
HKCU\Software\Microsoft\Windows\CurrentVersion\Run QnX = c:\(path) \.(filename)exe
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{77520Q86-864L-N81R-0R2W-7U2G0P22436U} StubPath = " c:\(path)\.(filename)exe "
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run  QnX = c:\(path)\.(filename)exe

Creates these keys:

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{77520Q86-864L-N81R-0R2W-7U2G0P22436U}