Home / malware Backdoor:W32/SdBot.CKF
First posted on 25 June 2008.
Source: SecurityHomeAliases :
There are no other names known for Backdoor:W32/SdBot.CKF.
Explanation :
Backdoor:W32/SdBot.CKF is a backdoor. Backdoors are remote administration utilities that open infected machines to external control via the Internet or a local network.
Upon execution, SdBot.CKF will attempt to connect to an IRC server and tries to download additional malware to the infected machine.
right]Upon execution, SdBot.CKF will create a copy of itself in the following location:
- %windir%winudspm.exe
It creates the following registry entry to automatically start with Windows:
- HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
Windows UDP Control = winudspm.exe
Once the backdoor is active, it connects to an IRC server, joins a certain channel and acts as a bot.
The backdoor will try to contact the following IRC server:
- irc.bluehell.org
- 221.6.6.232
Then it joins the following channels:
- #blockbot2
- #blockbot.msn
The malware attempts to download from the following locations:
- http://mitglied.lycos.de/cheatsguard/dci.exe
- http://mitglied.lycos.de/cheatsguard/is154890.exe
- http://mitglied.lycos.de/subzz/setup.exe
The files are detected as follows:
- dci.exe - Backdoor:W32/Rbot.GLP
- is154890 - Trojan-Downloader.Win32.Agent.rcl
- setup.exe - Backdoor:W32/IRCBot.GNS
Here are more commands used by the bot:
- aim.stop
- download
- gone
- l
- lo
- login
- logout
- msn.stop
- r.getfile
- r.new
- r.upd4te
- r.update
- rm
- rmzerm3b1tch
- triton.stop
- update
Furthermore, another sign of infection from this malware is an outbound connection to http.xn--mg-kka.com.Last update 25 June 2008