| Alias/es | Backdoor.Win32.SdBot.gen [KAV], W32/Agobot.OY!worm, W32/Sdbot.worm.gen.k [McAfee] |
| Release Date | May 12, 2006 |
| Detection Availability | Current Antivirus Definition Database Version: 12.339 | | Description | Visible Symptoms- Infected systems respond to slowly to user interaction
- Creation of the file "et3rd.exe" into System32 folder
- Possible firewall alert that the file "et3rd.exe" is attempting to access the Internet using TCP ports 113 [IDENT service] and 6667 [IRC chat client]
Detailed AnalysisThis virus is 32-bit with a packed file size of 49,238 bytes. The virus contains code to connect with an IRC server and await commands and instructions from a malicious user.
IRC Connections
If the virus is run, it will check DNS for IP address of 'uld3r.q8hell.org'. This currently resolves to this IP -
69.64.34.124
Once connected (using TCP port 6667), the virus awaits instructions from malicious users. This is a partial list of instructions -
Ping
redirect
download
clone
syn
update
Loading at Windows Startup
When this virus is run on a target, it registers itself to run automatically at each Windows startup -
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"dfe CTRLx Shift" = et3rd.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
"dfe CTRLx Shift" = et3rd.exe
Miscellaneous
This virus contains this string which is never displayed -
sdbot 0.5b with SYN flood by [sd]
|
Description Last Updated Date: Mar 13, 2007
Reference: ID - 6967
|