Backdoor.SdBot.gen
Backdoor.SdBot.gen (Kaspersky Lab) is also known as: W32/Lolol.worm.gen (McAfee), W32.Spybot.Worm (Symantec), Win32.IRC.Bot.based (Doctor Web), W32/Spybot-CQ (Sophos), Win32/HLLW.SpyBot (RAV), Worm/SpyBot.#3 (H+BEDV), Win32:SpyBot-GEN (ALWIL), Worm/Spybot (Grisoft), Backdoor.SDBot.Gen (SOFTWIN), Trojan.Spybot.gen-3 (ClamAV), W32/Spybot.BE.worm (Panda), Win32/SpyBot.AFL (Eset)
Description added | Aug 21 2002 |
Behavior | Backdoor |
This is a family of backdoor malicious programs, which provide the user with remote control over victim machines. This is achieved by sending commands via IRC channels.
Installation
Depending upon the program version, the backdoor either copies itself either to the Windows System directory or to other directories located in the System directory. The program also registers a copy of itself in the system registry, which ensures that it will be executed when Windows is started:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
The registry value will vary according to which version of the backdoor has infected the machine.
Payload
Backdoor.SdBot connects to a range of IRC servers, then connects with a channel that is hard coded into its body. It is then ready to receive remote commands, such as downloading and executing remote files, acting as an IRC proxy server, joining IRC channels, sending messages via IRC, and sending UDP and ICMP packets to remote computers.