Threat Encyclopedia

W32/SDBot.J!worm

description-logoAnalysis

  • Copies itself to the System folder as F1REF0X.EXE.
    Autostart Mechanism
  • Adds the following value:
    Mozilla Firefox = "F1REF0X.EXE"
    to the following registry subkeys:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

    Backdoor and/or Trojan Behavior
  • Opens a backdoor on TCP port 113.
  • Connects to an IRC server to await instructions and commands from a malicious user. These commands can cause the infected machine to perform any of the following actions:
    • Perform basic IRC commands
    • Download and execute files
    • Update or remove itself
    • Scan for vulnerable computers
    • Send confidential information, such as user names, passwords, etc., to the remote user
    • List and terminate services and processes
    • Initiate distributed denial of service (DDoS) attacks
    • Logs keystrokes

recommended-action-logoRecommended Action

    FortiGate Systems
  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.