F-Secure Malware Information Pages: Backdoor:W32/SdBot.CNJ

Main Index

Security Guide

F-Secure World Map

Security Alerts

Virus Statistics

Malware Removal Tools

Malware Code Glossary

Submit Malware Sample

Select local site

Main Index » Security Centre » Descriptions

F-Secure Malware Information Pages: Backdoor:W32/SdBot.CNJ

[Summary] \| [Details]
Name :	Backdoor:W32/SdBot.CNJ
Detection Names :	Backdoor:W32/SdBot.CNJ Backdoor:W32/SdBot.CNJ Trojan.Win32.Agent.asdj
Aliases :	W32.Ackantta@mm (Symantec) W32/Autorun-RI (Sophos) W32/Xirtem@MM (McAfee) VirTool:Win32/CeeInject.gen!K (Microsoft)
Type:	Backdoor
Category:	Malware
Platform:	W32

Radar

Summary

Backdoor:W32/SdBot.CNJ is a piece of malicious software that tries to disable various firewalls and antivirus programs, steal passwords from the infected machine and spread through removable media devices

Back to the Top

Details

Process Changes
Creates these processes:

%cwd%\.exe
%programfiles%\Internet Explorer\IEXPLORE.EXE

Creates these mutexes:

Y_aKS~pXq
1MKTN4PE

Network Connections
Attempts to connect with HTTP to:

web1.(censored).org:443/TCP

Registry Modifications
Sets these values:

HKCU\Software\Microsoft\Windows NT\CurrentVersion (default) = h1Ucm{yQvor}^imlol|Pxhc|en isl
HKCU\Software\Microsoft\Windows\CurrentVersion\Run QnX = c:\(path) \.(filename)exe
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{77520Q86-864L-N81R-0R2W-7U2G0P22436U} StubPath = " c:\(path)\.(filename)exe "
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run QnX = c:\(path)\.(filename)exe

Creates these keys:

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{77520Q86-864L-N81R-0R2W-7U2G0P22436U}

Back to the Top

F-Secure Corporation

Last Modified: December 04, 2008