F-Secure
Tools
Backdoor:W32/SdBot
Summary
A remote administration utility which bypasses normal security mechanisms to secretly control a program, computer or network.
Disinfection
Disinfection Utility
F-Secure provides the special disinfection utility to eliminate SDBot backdoor infection. You can download this utility from our ftp site:
The unpacked version is available here:
Disinfection instructions can be found here:
Manual Disinfection
Manual disinfection for SDBot backdoor requires renaming of an infected file, usually located in Windows or Windows System folder and restarting a system. Please note that the backdoor's file may have read-only, system and hidden attributes, so Windows Explorer has to be configured to show such files.
Automatic Disinfection
F-Secure Anti-Virus starting from version 5.40 can disinfect a computer infected with SDBot automatically by renaming the backdoor's file. A computer has to be restarted to complete disinfection.
Network Disinfection
If the infection is in a local network, please follow the instructions on this webpage:
F-Secure provides the special disinfection utility to eliminate SDBot backdoor infection. You can download this utility from our ftp site:
- http://www.f-secure.com/tools/f-bot.zip
- ftp://ftp.f-secure.com/anti-virus/tools/f-bot.zip
The unpacked version is available here:
- http://www.f-secure.com/tools/f-bot.exe
- ftp://ftp.f-secure.com/anti-virus/tools/f-bot.exe
Disinfection instructions can be found here:
- http://www.f-secure.com/tools/f-bot.txt
- ftp://ftp.f-secure.com/anti-virus/tools/f-bot.txt
Manual Disinfection
Manual disinfection for SDBot backdoor requires renaming of an infected file, usually located in Windows or Windows System folder and restarting a system. Please note that the backdoor's file may have read-only, system and hidden attributes, so Windows Explorer has to be configured to show such files.
Automatic Disinfection
F-Secure Anti-Virus starting from version 5.40 can disinfect a computer infected with SDBot automatically by renaming the backdoor's file. A computer has to be restarted to complete disinfection.
Network Disinfection
If the infection is in a local network, please follow the instructions on this webpage:
Additional Details
Backdoor:W32/SdBot comprises a large family of remote access utilities known to be used by hackers to gain unauthorized control of a user's computer system.
Variants in the SdBot family include:
Installation
Depending on the variant, SdBot backdoors copy themselves either to the Windows System directory, or to other directories located in the System directory. It also ensures the copy is started when the system stars by creating a subkey in one of the following registry keys:
The name of subkey and its value differ depending on the variant.
Activity
SdBot backdoors connect to various IRC servers, joining an IRC channel (the choice of channel is hardcoded into the code) in order to receive instruction from the attacker(s). The backdoor can perform a variety of actions, including acting as an IRC proxy server, downloading and executing remote files, sending messages and more.
Variants in the SdBot family include:
Installation
Depending on the variant, SdBot backdoors copy themselves either to the Windows System directory, or to other directories located in the System directory. It also ensures the copy is started when the system stars by creating a subkey in one of the following registry keys:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
The name of subkey and its value differ depending on the variant.
Activity
SdBot backdoors connect to various IRC servers, joining an IRC channel (the choice of channel is hardcoded into the code) in order to receive instruction from the attacker(s). The backdoor can perform a variety of actions, including acting as an IRC proxy server, downloading and executing remote files, sending messages and more.