IRC/SdBot [Threat Name]

Detection created2003-06-02
World activity peak 2011-01-28 (2.6 %)
Short description

The trojan serves as a backdoor. It can be controlled remotely.

Installation

When executed, the trojan copies itself in some of the the following locations:

  • %windir%\­%variable1%.exe
  • %public%\­%variable1%.exe
  • %programfiles%\­%variable1%.exe

In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable2%" = "%malwarefilepath%"
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable2%" = %malwarefilepath%
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Terminal Server\­Install\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable2%" = %malwarefilepath%

A string with variable content is used instead of %variable1-2% .


The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­StandardProfile\­AuthorizedApplications\­List]
    • "%originalmalwarefilepath%" = "%originalmalwarefilepath%:*:Enabled:%variable2%"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­StandardProfile\­AuthorizedApplications\­List]
    • "%malwarefilepath%" = "%malwarefilepath%:*:Enabled:%variable2%"

The performed data entry creates an exception in the Windows Firewall program.


Information stealing

The trojan collects the following information:

  • language settings
  • operating system version
  • CPU information
  • type of Internet connection
  • memory status
  • computer name

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of addresses. The HTTP, IRC protocol is used.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • send files to a remote computer
  • perform DoS/DDoS attacks
  • run executable files
  • terminate running processes
  • send gathered information
  • modify the content of websites
  • send IM messages

The trojan affects the behavior of the following applications:

  • AOL Instant Messenger
  • Internet Explorer
  • mIRC
  • Skype
  • Windows Live Messenger
  • Yahoo Messenger

The trojan may execute the following commands:

  • net stop MsMpSvc
  • netsh firewall add allowedprogram 1.exe 1 ENABLE
  • net stop wuauserv
  • sc config wuauserv start= disabled
  • explorer.exe http://browseusers.%removed%/Browse/Browse.aspx

Threat Variants with Description

Threat Variant Name Date Added Threat Type
IRC/SdBot.AAK 2004-03-26 trojan
IRC/SdBot.AB 2003-06-02 trojan

Please enable Javascript to ensure correct displaying of this content and refresh this page.