Summary
Poebot.F is a member of SdBot backdoor family. SdBot is a large family of IRC-based backdoors. This particular variant is quite powerful, it uses several different exploits to spread to vulberable computers and it can steal confidential data from an infected computer.
Removal
Disinfection Utility
This utility provides the special disinfection utility to clean Nyxem.e infection from a computer. This disinfection utility is called F-Force and it can be downloaded from our web and ftp sites:
[link removed]
[link removed]
The utility is distributed only in a ZIP archive that contains the following files:
- f-force.exe - the main executable file
- eult.rtf - End User License Terms document
- readme.rtf - Readme file in RTF format
- readme.txt - Readme file in ASCII format
To unpack the archive please use the WinZip or similar archiver.
IMPORTANT!Please make sure that you read the End User License Terms document (Eult.rtf) and the Readme file (either Readme.txt or Readme.rtf) before using the F-Force utility!
The F-Force utility needs the archive with the latest updates in order to function properly. The archive's name is LATEST.ZIP and it should be downloaded and put into the same folder where the F-Force utility is located. This archive with the latest updates can be downloaded from these locations:
[link removed]
[link removed]
Please note that the F-Force utility can disinfect only certain malicious programs. Besides the utility does not scan inside archives. So after cleaning a computer with the F-Force utility it is recommended to scan all hard drives with F-Secure Anti-Virus and the latest updates to make sure that no infected files remain there.
A trial version of F-Secure Anti-Virus and the latest updates can be downloaded from F-Secure's website:
[link removed]
[link removed]
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
- Check for the latest database updatesFirst, check if your F-Secure security program is using the latest updates, then try scanning the file again.
- Submit a sampleAfter checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
- Exclude a file from further scanningIf you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.Note: You need administrative rights to change the settings.
Technical Details
- lssas.exe
- Isass.exe
- csrs.exe
- logon.exe
- winIogon.exe
- explorer.exe
- winamp.exe
- firewall.exe
- spoolsvc.exe
- spooIsv.exe
- algs.exe
- iexplore.exe
- joins and parts IRC channels, changes nick, creates clones, sends raw command, sends messages and notices, floods channels
- runs IDENTD server on a specified port
- scans for vulnerable computers using a number of exploits (see below) and reports to a hacker
- tries to spread to network shares, bruteforces share passwords using the hardcoded list
- steals logins and passwords (cached passwords, FlashFXP passwords, IE site passwords, MSN passwords)
- steals Outlook account information (SMTP and POP server names, logins and passwords)
- steals HTTP email server logins and passwords (Hotmail)
- sniffs network traffic (packet sniffer)
- downloads and runs files on an infected computer
- opens a pipe-based remote command shell on an infected computer
- act as a proxy server on a selected port
- collects information about an infected system (software and hardware configuration)
- finds and terminates competing bots
- performs a DoS (Denial of Service) attack
- updates itself from Internet
- lists processes paying attention on processes with the specific names (games mostly)
- ASN.1 (MS04-007), ports 80, 139, 445
- LSASS (MS04-011), port 445
- DCOM-RPC (MS04-012), port 135
- WKSSVC (MS03-049), ports 135, 445
- WEBDAV (MS03-007), port 80
- UPNP (MS05-039), port 445MSSQL, port 1433DameWare, port 6129BackupExec, port 6101IceCast, port 8000SlabMail, port 110RealServer, port 554
- administratoradministradoradministrateuradministrat
- adminsadminadmaababcpassword1passwordpasswddbapass1234passpwd
- 0071121231234123451234561234567123456781234567891234567890
- workdeadlinepaydaysecret200020012002200320042005testguestnonedemo
- computerunixlinuxchangemedefaultsystemserverrootnull
- temptemp123qwertymailoutlookwebwwwinternetsexletmein
- accountsaccountinghomehomeuseruseroemoemuser
- oeminstallwwwadminwindowswin98win2kwinxpwinntwin2000qazasdzxcqwe
- bobjenjoefredbillmikejohnpeterlukesamsuesusan
- peterbrianleeneilianchrisericgeorgekatebobkatiemary
- loginloginpasstechnicalbackupexchange
- f*ckbitchslutsexgodmoneylovehellhello
- domaindomainpassdomainpassworddatabaseaccessdb
- passdbpassworddatabasepassdatadatabasepassworddb
- 1db2db1234sasqlsqlpassoainstallorainstall
- oracleibmciscodellcompaqsiemenshpnokiaxp
- controlofficeblankwinpassmainlaninternetintranet
- studentownerteacherstaff
Protect your devices from malware with F‑Secure Total
Protecting your devices from malicious software is essential for maintaining online security. F‑Secure Total makes this easy, helping you to secure your devices in a brilliantly simple way.
- Award‑winning antivirus and malware protection
- Online browsing, banking, and shopping protection
- 24/7 online identity and data breach monitoring
- Unlimited VPN service to safeguard your privacy
- Password manager with private data protection
Choose how many devices you want to protect to get started.
- Free customer support
- Cancel anytime
- The trial does not obligate you to buy the product
After 30 days your subscription will renew automatically for one year at €69.99.
)
)
More Support
Community
Ask questions in our Community.
User guides
Check the user guide for instructions.
Contact Support
Chat with with or call an agent.
Submit a Sample
Submit a file or URL for analysis.