BKDR_SDBOT.JO

This Trojan runs certain commands that it receives remotely from a malicious user. Doing this puts the affected computer and information found on the computer at greater risk.

Installation

This Trojan drops the following copies of itself into the affected system:

• %Program Files%\Common Files\System\svchost.exe %Program Files%\Common Files\System\dbot.exe

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files.)

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Windows Update = %Program Files%\Common Files\System\{Malware File Name}.exe

Other System Modifications

This Trojan creates the following registry entry(ies) to bypass Windows Firewall:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
%Program Files%\Common Files\System\{Malware File Name}.exe = %Program Files%\Common Files\System\{Malware File Name}.exe:*:Enabled:Windows Update

Backdoor Routine

This Trojan executes the following command(s) from a remote malicious user:

• Terminate and remove itself
• Download and execute files
• Perform HTTP and FTP operations to download and execute files
• Inject code into the file, TCPIP.SYS
• Perform IRC commands

Other Details

This Trojan does the following:

• It terminates the following processes if found running in the affected system's memory:
  
  • winhelp.exe
  • twunk_32.exe
  • twunk_16.exe
  • TASKMAN.EXE
  • ST6UNST.EXE
  • SOUNDMAN.EXE
  • Setup1.exe
  • setdebug.exe
  • REGTLIB.EXE
  • regedit.exe
  • NOTEPAD.EXE
  • iun6002.exe
  • IsUninst.exe
  • hh.exe
  • explorer.exe
  • alcupd.exe
  • alcrmv.exe
  • System
  • sstext3d.scr
  • ssstars.scr
  • sspipes.scr
  • ssmyst.scr
  • ssmypics.scr
  • ssmarque.scr
  • ssflwbox.scr
  • ssbezier.scr
  • ss3dfo.scr
  • SeismoSaver.scr
  • scrnsave.scr
  • logon.scr
  • ACDSee.scr
  • xcopy.exe
  • wupdmgr.exe
  • wuauclt1.exe
  • wuauclt.exe
  • wscript.exe
  • wscntfy.exe
  • write.exe
  • wpnpinst.exe
  • wpabaln.exe
  • wowexec.exe
  • wowdeb.exe
  • wjview.exe
  • winver.exe
  • winspool.exe
  • winmsd.exe
  • winmine.exe
  • winlogon.exe
  • winhlp32.exe
  • WINDBVER.EXE
  • winchat.exe
  • wiaacmgr.exe
  • wextract.exe
  • w32tm.exe
  • vwipxspx.exe
  • vssvc.exe
  • vssadmin.exe
  • viral.exe
  • verifier.exe
  • verclsid.exe
  • utilman.exe
  • usrshuta.exe
  • usrprbda.exe
  • usrmlnka.exe
  • userinit.exe
  • user.exe
  • ups.exe
  • upnpcont.exe
  • unlodctr.exe
  • typeperf.exe
  • tsshutdn.exe
  • tskill.exe
  • tsdiscon.exe
  • tscupgrd.exe
  • tscon.exe
  • tracert6.exe
  • tracert.exe
  • tracerpt.exe
  • tourstart.exe
  • tlntsvr.exe
  • tlntsess.exe
  • tlntadmn.exe
  • tftp.exe
  • telnet.exe
  • tcpsvcs.exe
  • tcmsetup.exe
  • taskmgr.exe
  • taskman.exe
  • tasklist.exe
  • taskkill.exe
  • systray.exe
  • systeminfo.exe
  • sysocmgr.exe
  • syskey.exe
  • sysedit.exe
  • syncapp.exe
  • svchost.exe
  • subst.exe
  • subrange.uce
  • stimon.exe
  • spupdsvc.exe
  • sprestrt.exe
  • spoolsv.exe
  • spnpinst.exe
  • spiisupd.exe
  • spider.exe
  • sort.exe
  • sol.exe
  • sndvol32.exe
  • sndrec32.exe
  • smss.exe
  • smlogsvc.exe
  • smbinst.exe
  • skeys.exe
  • sigverif.exe
  • shutdown.exe
  • shrpubw.exe
  • shmgrate.exe
  • share.exe
  • shadow.exe
  • sfc.exe
  • setver.exe
  • setup.exe
  • sethc.exe
  • sessmgr.exe
  • services.exe
  • secedit.exe
  • sdbinst.exe
  • schtasks.exe
  • scardsvr.exe
  • sc.exe
  • savedump.exe
  • rwinsta.exe
  • runonce.exe
  • rundll32.exe
  • runas.exe
  • RTLCPL.EXE
  • rtcshare.exe
  • rsvp.exe
  • rsopprov.exe
  • rsnotify.exe
  • rsmui.exe
  • rsmsink.exe
  • rsm.exe
  • rsh.exe
  • routemon.exe
  • route.exe
  • rexec.exe
  • reset.exe
  • replace.exe
  • relog.exe
  • regwiz.exe
  • regsvr32.exe
  • regini.exe
  • regedt32.exe
  • REGCLADM.EXE
  • reg.exe
  • redir.exe
  • recover.exe
  • rdshost.exe
  • rdsaddin.exe
  • rdpclip.exe
  • rcp.exe
  • rcimlby.exe
  • rasphone.exe
  • rasdial.exe
  • rasautou.exe
  • qwinsta.exe
  • qprocess.exe
  • qappsrv.exe
  • proxycfg.exe
  • proquota.exe
  • progman.exe
  • print.exe
  • powercfg.exe
  • ping6.exe
  • ping.exe
  • perfmon.exe
  • pentnt.exe
  • pathping.exe
  • packager.exe
  • osuninst.exe
  • osk.exe
  • openfiles.exe
  • odbcconf.exe
  • odbcad32.exe
  • nwscript.exe
  • nw16.exe
  • ntvdm.exe
  • ntsd.exe
  • ntoskrnl.exe
  • ntkrnlpa.exe
  • ntbackup.exe
  • nslookup.exe
  • notepad.exe
  • nlsfunc.exe
  • netstat.exe
  • netsh.exe
  • netsetup.exe
  • netdde.exe
  • net1.exe
  • net.exe
  • NeroCheck.exe
  • nddeapir.exe
  • nbtstat.exe
  • narrator.exe
  • mstsc.exe
  • mstinit.exe
  • msswchx.exe
  • mspaint.exe
  • msiexec.exe
  • mshta.exe
  • mshearts.exe
  • msg.exe
  • msdtc.exe
  • mscdexnt.exe
  • MRT.exe
  • mrinfo.exe
  • mqtgsvc.exe
  • mqsvc.exe
  • mqbkup.exe
  • mpnotify.exe
  • mplay32.exe
  • mountvol.exe
  • mobsync.exe
  • mnmsrvc.exe
  • mmc.exe
  • migpwd.exe
  • mem.exe
  • makecab.exe
  • magnify.exe
  • lsass.exe
  • lpr.exe
  • lpq.exe
  • logonui.exe
  • logoff.exe
  • logman.exe
  • logagent.exe
  • lodctr.exe
  • locator.exe
  • lnkstub.exe
  • lights.exe
  • label.exe
  • krnl386.exe
  • jview.exe
  • jdbgmgr.exe
  • javaws.exe
  • javaw.exe
  • java.exe
  • ipxroute.exe
  • ipv6.exe
  • ipsec6.exe
  • ipconfig.exe
  • imapi.exe
  • iexpress.exe
  • ie4uinit.exe
  • hostname.exe
  • help.exe
  • grpconv.exe
  • gpupdate.exe
  • gpresult.exe
  • getmac.exe
  • gdi.exe
  • gb2312.uce
  • ftp.exe
  • fsutil.exe
  • fsquirt.exe
  • freecell.exe
  • forcedos.exe
  • fontview.exe
  • fltMc.exe
  • fixmapi.exe
  • finger.exe
  • findstr.exe
  • find.exe
  • fc.exe
  • fastopen.exe
  • extrac32.exe
  • expand.exe
  • exe2bin.exe
  • eventvwr.exe
  • eventtriggers.exe
  • eventcreate.exe
  • eudcedit.exe
  • esentutl.exe
  • edlin.exe
  • dxdiag.exe
  • dwwin.exe
  • dvdupgrd.exe
  • dvdplay.exe
  • dumprep.exe
  • drwtsn32.exe
  • drwatson.exe
  • driverquery.exe
  • dpvsetup.exe
  • dpnsvr.exe
  • dplaysvr.exe
  • dosx.exe
  • doskey.exe
  • dmremote.exe
  • dmadmin.exe
  • dllhst3g.exe
  • dllhost.exe
  • diskperf.exe
  • diskpart.exe
  • diantz.exe
  • dfrgntfs.exe
  • dfrgfat.exe
  • defrag.exe
  • debug.exe
  • ddeshare.exe
  • dcomcnfg.exe
  • ctfmon.exe
  • csrss.exe
  • cscript.exe
  • convert.exe
  • control.exe
  • conime.exe
  • compact.exe
  • comp.exe
  • cmstp.exe
  • cmmon32.exe
  • cmdl32.exe
  • cmd.exe
  • clspack.exe
  • clipsrv.exe
  • clipbrd.exe
  • cliconfg.exe
  • cleanmgr.exe
  • ckcnv.exe
  • cisvc.exe
  • cipher.exe
  • cidaemon.exe
  • chkntfs.exe
  • chkdsk.exe
  • ChCfg.exe
  • charmap.exe
  • calc.exe
  • cacls.exe
  • bootvrfy.exe
  • bootok.exe
  • bootcfg.exe
  • blastcln.exe
  • autolfn.exe
  • autofmt.exe
  • autoconv.exe
  • autochk.exe
  • auditusr.exe
  • attrib.exe
  • atmadm.exe
  • Ati2mdxx.exe
  • ati2evxx.exe
  • at.exe
  • asr_pfu.exe
  • asr_ldm.exe
  • asr_fmt.exe
  • arp.exe
  • append.exe
  • alg.exe
  • ahui.exe
  • actmovie.exe
  • accwiz.exe
• It checks if WinVNC, a virtual network controller, is installed on the affected system. If it is, it attempts to log into the said application using the following set of usernames and passwords:
  
  • boobs
  • server
  • master
  • owner
  • register
  • paper
  • money
  • !@#$%
  • ~!@#$%
  • helpme
  • bobnob
  • pimpin
  • jesus
  • cracker
  • crack
  • whore
  • bitch
  • password
  • admin
  • computer
  • change
  • changeme
  • testing
  • kanabis
  • monkey
  • qwerty
  • abcdefgh
  • abcdef
  • abcde
  • 654321
  • 7654321
  • 87654321
• It tries to open Port 6667 in an attempt to join an IRC server. Once successful, it connects to any of the following IRC servers and joins the following specific channels:
  
  • {BLOCKED}ounceme.net
  • {BLOCKED}m.sytes.net