How to delete Sdbot - Removal tool, fix instructions

Name: Sdbot

Aliases: Backdoor.SDBot.Gen, Sdbot.ftp, W32/Sdbot.ftp, IRC-Sdbot, Backdoor.IRC.SdBot, BKDR_SDBOT.B, Troj/Sdbot-B, Win32.SdBot.14176

Type: Trojan

Size: -

First appeared on: 15.12.2004

Damage: Medium

Brief Description:
Sdbot is a Backdoor Trojan horse that allows the Trojan's creator to control a computer by using Internet Relay Chat (IRC). Backdoor.Sdbot can update itself by checking for newer versions over the Internet.

Some variants of the Sdbot worm spread via the Internet by attacking random IP addresses. These variants attempt to exploit several vulnerabilities in Windows operating systems, such as RPC-DCOM, LSASS, etc.

If they succeed in exploiting any of those vulnerabilities, they create and run a script, which downloads the worm.

Visible Symptoms:

Sdbot is difficult to recognize, as it does not display any messages or warnings that indicate it has reached the computer.

The symptoms vary with each variant:

  • suspect running process(es) - the name of the executable varies
  • suspect registry keys, usually it's an entry in
    [HKLM\Software\Microsoft\ Windows\Current Version\Run]
  • unusual internet traffic
  • unusual TCP/UDP open ports listed by "netstat -a" command
  • unusual computer behaviour

Technical description:

Sdbot attempts to download a variant of the Sdbot worms to the affected computer.

Worms of the Sdbot family follow the routine below:

  • They spread via the Internet by attacking random IP addresses.
  • Those variants of Sdbot attempt to exploit several known vulnerabilities in Windows operating systems, such as RPC-DCOM, LSASS, etc.
  • If they succeed in exploiting any of those vulnerabilities, they create and run a script.
  • This script contains the IP address and the port from which the Sdbot worm will be downloaded.
  • Once downloaded, the remote computer will be affected by the Sdbot worm.

Backdoor.Sdbot is a server component (bot) that the Trojan's creator distributes over IRC channels. This Trojan horse allows its creator to perform a wide variety of actions on a compromised computer.

The Trojan arrives in the form of a Portable Executable (PE) file.

When Backdoor.Sdbot is executed, it does the following:

  1. Copies itself to the %System% folder. The file name to which it copies itself can vary. Some known file names are:
    • Cnfgldr.exe
    • cthelp.exe
    • Sysmon16.exe
    • Sys3f2.exe
    • Syscfg32.exe
    • Mssql.exe
    • Aim95.exe
    • Svchosts.exe
    • FB_PNU.EXE
    • Cmd32.exe
    • Sys32.exe
    • Explorer.exe
    • IEXPL0RE.EXE
    • iexplore.exe
    • sock32.exe
    • MSTasks.exe
    • service.exe
    • Regrun.exe
    • ipcl32.exe
    • syswin32.exe
    • CMagesta.exe
    • YahooMsgr.exe
    • vcvw.exe
    • spooler.exe
    • MSsrvs32.exe
    • svhost.exe
    • winupdate32.exe
    • quicktimeprom.exe

    NOTE: %System% is a variable. The Trojan locates the \Windows\System folder (by default, this is C:\Windows\System or C:\Winnt\System32), and then copies itself to that location.

  2. Adds one of the following values:

    "Configuration Manager"="Cnfgldr.exe"
    "System Monitor"="Sysmon16.exe"
    "MSSQL"="Mssql.exe"
    "Configuration Loader" = "aim95.exe"
    "Internet Config" = "svchosts.exe"
    "System33" = "%System%\FB_PNU.EXE"
    "Configuration Loader"="cmd32.exe"
    "Windows Explorer"="Explorer.exe"v
    "Configuration Loader"="IEXPL0RE.EXE"
    "Configuration Loader"="%System%\iexplore.exe"
    "Sock32"="sock32.exe"
    "Configuration Loader"="MSTasks.exe"
    "Windows Services"="service.exe"
    "Registry Checker" = "%System%\Regrun.exe"
    "Internet Protocol Configuration Loader" = "ipcl32.exe
    "syswin32" = "syswin32.exe"
    "MachineTest" = "CMagesta.exe"
    "Yahoo Instant Messenger" = "Yahoo Instant Messenger"
    "Fixnice" = "vcvw.exe"
    "Windows Configuration" = "spooler.exe"
    "Microsoft Video Capture Controls" = "MSsrvs32.exe"
    "Microsoft Synchronization Manager" = "svhost.exe"
    "Microsoft Synchronization Manager" = "winupdate32.exe"
    "Quick Time file manager" = "quicktimeprom.exe"
    "cthelp"="cthelp.exe"

    or a similar value to the following registry keys:

    HKEY_LOCAL_MACHINE\Software\ Microsoft\Windows\CurrentVersion\ Run

    HKEY_LOCAL_MACHINE\Software\ Microsoft\Windows\CurrentVersion\ RunServices

    HKEY_CURRENT_USER\Software\ Microsoft\Windows\CurrentVersion\ Run

Backdoor.Sdbot contains its own IRC client, allowing it to connect to an IRC channel that was coded into the Trojan. Using the IRC channel, the Trojan listens for the commands from the Trojan's creator. The creator of the Trojan accesses the Trojan by using a password-protected authorization.

Using these Bots, an attacker could do:

Using the victim's computer:

  • using multiple infected computers, perform a Ddos attack on a specific IP address/website.
  • perform various types of flood on a target IP address
  • attack other computers or a website using specific exploits/vulnerabilities (RPC/DCOM, RPC/Locator, WebDAV, etc)
  • scan/search for other vulnerable hosts and attempt to install itself on them

On the victim's computer:

  • change bot internal parameters, update the bot with a newer version, etc
  • use the host as a TCP proxy (as a send-through)
  • redirect HTTP traffic
  • steal CD keys from various applications/games
  • steal personal information, paswwords, etc
  • display/change various information
  • download and upload files
  • delete/modify files
  • execute programs
  • terminate processes
  • reboot, shutdown the computer

and much more, depending on what has been added to the original source.

Each newer version operates on the same ground as the old ones, but it also new code is added to make the Bot more powerfull and more hard to detect.

Propagation:

Sdbot does not use any specific means to spread. It can reach computers through any of the means normally used by viruses: CD-ROMs, e-mail messages with infected attachments, Internet downloads, FTP, etc.