Threat Description

Backdoor: W32/SdBot

Details

Category: Malware
Type: Backdoor
Platform: W32
Aliases: Backdoor:W32/SdBot

Summary


Backdoor:W32/SdBot comprises a large family of remote access utilities known to be used by hackers to gain unauthorized control of a user's computer system.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More scanning & removal options

More information on scanning or removal options is available in the documentation for your F-Secure security product on the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for further assistance.

Eliminating a Local Network Outbreak

If the infection is in a local network, please follow the instructions on this webpage:

Manual Disinfection

Caution: Manual disinfection is a risky process; it is recommended only for advanced users.

Manual disinfection for SDBot backdoor requires renaming of an infected file, usually located in Windows or Windows System folder and restarting a system. Please note that the backdoor's file may have read-only, system and hidden attributes, so Windows Explorer has to be configured to show such files.



Technical Details


Variants in the SdBot family include:

Installation

Depending on the variant, SdBot backdoors copy themselves either to the Windows System directory, or to other directories located in the System directory. It also ensures the copy is started when the system stars by creating a subkey in one of the following registry keys:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

The name of subkey and its value differ depending on the variant.

Activity

SdBot backdoors connect to various IRC servers, joining an IRC channel (the choice of channel is hardcoded into the code) in order to receive instruction from the attacker(s). The backdoor can perform a variety of actions, including acting as an IRC proxy server, downloading and executing remote files, sending messages and more.






SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More