F-Secure Virus Descriptions : SdBot

 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

The name of subkey and its value are different in different versions of the backdoor.

The backdoor connects to various IRC servers, then it joins a channel that is hardcoded in its body, and receives remote control commands from its master. The remote control commands allow downloading and executing remote files, acting as an IRC proxy server, joining IRC channels and sending messages via IRC, sending UDP and ICMP packets to remote computers.

Disinfection

F-Secure provides the special disinfection utility to eliminate SDBot backdoor infection. You can download this utility from our ftp site:

http://www.f-secure.com/tools/f-bot.zip

ftp://ftp.f-secure.com/anti-virus/tools/f-bot.zip

The unpacked version is available here:

http://www.f-secure.com/tools/f-bot.exe

ftp://ftp.f-secure.com/anti-virus/tools/f-bot.exe

Disinfection instructions can be found here:

http://www.f-secure.com/tools/f-bot.txt

ftp://ftp.f-secure.com/anti-virus/tools/f-bot.txt

Manual disinfection for SDBot backdoor requires renaming of an infected file, usually located in Windows or Windows System folder and restarting a system. Please note that the backdoor's file may have read-only, system and hidden attributes, so Windows Explorer has to be configured to show such files.

F-Secure Anti-Virus starting from version 5.40 can disinfect a computer infected with SDBot automatically by renaming the backdoor's file. A computer has to be restarted to complete disinfection.

If the infection is in a local network, please follow the instructions on this webpage:

http://www.f-secure.com/v-descs/netdisinf.shtml

Back to the Top

[Analysis: Kaspersky Labs, F-Secure Corp.; November 27th, 2002]

Description Updated: Alexey Podrezov, October 21st, 2004;

F-Secure Corporation