Backdoor:W32/SdBot.CKF is a backdoor. Backdoors are remote administration utilities that open infected machines to external control via the Internet or a local network. Upon execution, SdBot.CKF will attempt to connect to an IRC server and tries to download additional malware to the infected machine.
Depending on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the suspect file, or ask you for a desired action.
More scanning & removal options
More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.
You may also refer to the Knowledge Base on the F-Secure Community site for more information.
Upon execution, SdBot.CKF will create a copy of itself in the following location:
It creates the following registry entry to automatically start with Windows:
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows UDP Control = winudspm.exe
Once the backdoor is active, it connects to an IRC server, joins a certain channel and acts as a bot. The backdoor will try to contact the following IRC server:
Then it joins the following channels:
The malware attempts to download from the following locations:
The files are detected as follows:
- dci.exe - Backdoor:W32/Rbot.GLP
- is154890 - Trojan-Downloader.Win32.Agent.rcl
- setup.exe - Backdoor:W32/IRCBot.GNS
Here are more commands used by the bot:
Furthermore, another sign of infection from this malware is an outbound connection to http.xn--mg-kka.com.