Home / malware

PDF

Backdoor:W32/SdBot.CNJ

First posted on 05 December 2008.
Source: SecurityHome

Aliases :

There are no other names known for Backdoor:W32/SdBot.CNJ.

Explanation :

Backdoor:W32/SdBot.CNJ is a piece of malicious software that tries to disable various firewalls and antivirus programs, steal passwords from the infected machine and spread through removable media devices

Process Changes
Creates these processes:

%cwd%.exe
%programfiles%Internet ExplorerIEXPLORE.EXE

Creates these mutexes:

Y_aKS~pXq
1MKTN4PE

Network Connections
Attempts to connect with HTTP to:

web1.(censored).org:443/TCP

Registry Modifications
Sets these values:

HKCUSoftwareMicrosoftWindows NTCurrentVersion (default) = h1Ucm{yQvor}^imlol|Pxhc|en isl
HKCUSoftwareMicrosoftWindowsCurrentVersionRun QnX = c:(path)

.(filename)exe
HKLMSOFTWAREMicrosoftActive SetupInstalled Components{77520Q86-864L-N81R-0R2W-7U2G0P22436U} StubPath = "

c:(path).(filename)exe



"
HKCUSOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorerRun QnX =



c:(path).(filename)exe











Creates these keys:

HKLMSOFTWAREMicrosoftActive SetupInstalled Components{77520Q86-864L-N81R-0R2W-7U2G0P22436U}

Last update 05 December 2008

 

TOP