F-Secure Virus Descriptions : SdBot
[Summary] | [Disinfection]
SdBot represents the large family of backdoors - hacker's remote
access tools. These tools allow to contol victims' computers
remotely by sending specific commands via IRC channels.
Depending on the backdoor's version, it copies itself either to
the Windows System directory, or to other directories located in
the System directory. It also makes its copy started at Windows
startup by creating a subkey in one of the following registry
keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
The name of subkey and its value are different in different
versions of the backdoor.
The backdoor connects to various IRC servers, then it joins a
channel that is hardcoded in its body, and receives remote
control commands from its master. The remote control commands
allow downloading and executing remote files, acting as an IRC
proxy server, joining IRC channels and sending messages via IRC,
sending UDP and ICMP packets to remote computers.
F-Secure provides the special disinfection utility to eliminate
SDBot backdoor infection. You can download this utility from our
ftp site:
http://www.f-secure.com/tools/f-bot.zip
ftp://ftp.f-secure.com/anti-virus/tools/f-bot.zip
The unpacked version is available here:
http://www.f-secure.com/tools/f-bot.exe
ftp://ftp.f-secure.com/anti-virus/tools/f-bot.exe
Disinfection instructions can be found here:
http://www.f-secure.com/tools/f-bot.txt
ftp://ftp.f-secure.com/anti-virus/tools/f-bot.txt
Manual disinfection for SDBot backdoor requires renaming of an
infected file, usually located in Windows or Windows System
folder and restarting a system. Please note that the backdoor's
file may have read-only, system and hidden attributes, so Windows
Explorer has to be configured to show such files.
F-Secure Anti-Virus starting from version 5.40 can disinfect a
computer infected with SDBot automatically by renaming the
backdoor's file. A computer has to be restarted to complete
disinfection.
If the infection is in a local network, please follow the
instructions on this webpage:
http://www.f-secure.com/v-descs/netdisinf.shtml
[Analysis: Kaspersky Labs, F-Secure Corp.; November 27th, 2002]
Description Updated:
Alexey Podrezov, October 21st, 2004;
F-Secure Corporation
|