Store
|
Contact Norman
|
About Norman
|
Select location
Corporate
Norge
France
Deutschland
Sverige
Danmark
Suomi
Nederland
Schweiz
España
United States
United Kingdom
Italia
Proactive IT security
Home & Home office Small / Medium business Enterprise Our technology Security center Norman as a business partner Support   Partner web
Home
>
Security center
>
Virus descriptions
>
SDBot
Norman SandBox center
Submit file for SandBox analysis
Search malware analysis database
View latest SandBox analysis
Malware statistics
Virus descriptions
Security articles - archive
Malware types
Threat level
Current virus threats
Security blog
Email statistics
Books, general white papers etc.

SDBot

Threat risk

Threat risk low
Detection files published:
Description created: 2004-04-22
Description updated: 2004-04-22
Malware type: Worm
Alias:
Spreading mechanism Network
Payload: Backdoor/DoS
Summary
SDBots are worms that propagate via network shares. They also contain backdoor functionality, which connects to an IRC channel and waits for commands.
 

Because of the similarities between many of the SDBot variants this is a generic desciption.

Spreading description
When an SDBot is executed it will copy itself to the %SYSTEM% directory and create a registry value in either or both of the following registry keys to ensure it is started with Windows:
 
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
 
A selection of filenames used by SDBots are:
  • dosnet.exe (W32/SDBot.JN)
  • wupdated.exe (W32/SDBot.JP)
  • winsys32.exe (W32/SDBot.JQ)
  • msserv.exe (W32/SDBot.JS)
  • comport.exe (W32/SDBot.JT)
  • lmss.exe (W32/SDBot.JU)
  • AntiVirus32.exe (W32/SDBot.JV)
  • msgfix.exe (W32/SDBot.JX & .QF)
  • win32server.exe (W32/SDBot.JY)
  • pown.exe (W32/SDBot.KF)
  • intcp32.exe (W32/SDBot.KK)
  • iexplore.exe (W32/SDBot.KL)
  • MSNHome.exe (W32/SDBot.KM)
  • mgnwin32.exe (W32/SDBot.KN)
  • vbxpl.exe (W32/SDBot.KO)
  • mrvdwwx.exe (W32/SDBot.KP)
  • iexplorers.exe (W32/SDBot.KQ)
  • SpoolServ.exe (W32/SDBot.KS)
  • winboot32.exe (W32/SDBot.QC)
  • winlord32.exe (W32/SDBot.QD)
  • symantec32.exe (W32/SDBot.QE)
  • MSCFG.exe (W32/SDBot_based)
  • netcfg32.exe (W32/SDBot_based)
  • I1Eexplore.exe (W32/SDBot_based)
  • iEEexplore.exe (W32/SDBot_based)
  • ms32sys.exe (W32/SDBot_based)
  • wsock32p.exe (W32/SDBot_based)
A selection of registry values used by SDBots are:
  • Dos Mode (W32/SDBot.JN)
  • Configuration Loaded (W32/SDBot.JP)
  • Configuration Loader (W32/SDBot.JQ)
  • Microsoft Service (W32/SDBot.JS)
  • Microsoft Com Port Manager (W32/SDBot.JT)
  • load (W32/SDBot.JU)
  • Windows Anti-Virus Built 32 (W32/SDBot.JV)
  • configuration loader (W32/SDBot.JW)
  • Configuration Loader (W32/SDBot.JX & .QF)
  • Winsock32driver (W32/SDBot.JY)
  • Microsoftx (W32/SDBot.KF)
  • Threaded (W32/SDBot.KK)
  • Configuration Loader (W32/SDBot.KL)
  • MSN Home Page (W32/SDBot.KM)
  • RandomWin32 (W32/SDBot.KN)
  • Configurations Loader (W32/SDBot.KO)
  • MyICQN (W32/SDBot.KP)
  • iexplorers loader (W32/SDBot.KQ)
  • Microsoft DirectX (W32/SDBot.KS)
  • Win32 Boot System (W32/SDBot.QC)
  • Windows Lord Anti-Virus (W32/SDBot.QD)
  • Symantec Security (W32/SDBot.QE)
  • Microsoft Configuration (W32/SDBot_based)
  • Network Card Driver Loader (W32/SDBot_based)
  • Config Loadatorin (W32/SDBot_based)
  • Config Loadation (W32/SDBot_based)
  • systemdrv (W32/SDBot_based)
  • WSock32 Protocol (W32/SDBot_based)
SDBots spread via network shares by brute forcing weak passwords if possible. When successful in copying itself to a remote share an SDBot will schedule a network task to infected the machine.
Threat description
SDBots contain a backdoor element that will join an IRC channel and wait for commands. They usually connect to an IRC sever using a high port number. Depending on what command an SDBot receives it may perform one of the following tasks:
 
  • Perform a DoS attack using SYN floods, UDP packets or ping of death.
  • Update itself.
  • Send CPU details, memory statistics or running thread information to the attacker.
  • Join another IRC channel, change its NICK or logout of the channel.
  • Download or upload files.
  • Launch executables.
  • Scan the network and infect NT based machines.
 
SDBots also attempt to terminate running processes associated with anti-virus/firewall software.
Removal
Norman currently detects hundreds of SDBot variants, whilst Norman Sandbox detects the majority of new SDBots as W32/Malware.

General information about removal of malicious software

Norman's antivirus products are in general able to remove all malicious software that is detected.
Some malware, however, uses techniques that the general product does not remove sufficiantly. We have therefore developed the free product Norman Malware Cleaner. Please use the latest version of this program from the link below - if your Norman antivirus is unable to clean-up the infection.

Type Title Comment Usage
Norman Malware Cleaner    
Stopping network share infectors    
Cleaning of back-up folders on Windows Me and XP    
Print
Privacy policy
|
License agreement
|
Trademarks
|
Sitemap
FacebookTwitterYouTubeLinkedIn