| ID | 6714 |
| Released | Aug 23, 2005 |
| Description Updated | Mar 13, 2007 |
Detection Availability
| FortiGate | |
|---|---|
| Extended |
|
| FortiClient |
|
| FortiMail |
|
| FortiSandbox |
|
| FortiWeb |
|
| Web Application Firewall |
|
| FortiIsolator |
|
| FortiDeceptor |
|
| FortiEDR |
|
Threat Profile
Aliases:- BKDR_IRCSDBOT.R
- IRC.Backdoor.Trojan
- IRC/BackDoor.SdBot.RI
- W32/Sdbot.AH
- W32/SDBot.AH!worm
- W32/SDBot.R-tr
- W32/Sdbot.worm.gen.a
- Win32.Sdbot.14880
Win32 file format / PE 32 bit
Type: Worm (worm)
Update History
| Date | Version | Detail |
|---|---|---|
| 2023-05-08 | 91.03073 | |
| 2023-05-07 | 91.03054 | |
| 2023-05-06 | 91.03021 | |
| 2023-02-22 | 91.00810 | |
| 2023-02-21 | 91.00794 | |
| 2023-02-16 | 91.00640 | |
| 2023-02-14 | 91.00573 | |
| 2023-02-07 | 91.00363 | |
| 2023-02-06 | 91.00334 | |
| 2023-01-31 | 91.00154 |
Refine Search
Threat Encyclopedia
W32/SDBot.AH!worm
Analysis
- Trojan was mass-mailed to numerous email addresses
in an attempt to be widespread - it may have been
received in an email message suggested to be a patch
from Microsoft -
Subject: Microsoft Security Update
Body:
THE MICROSOFT SECURITY UPDATE NEWSLETTER
October 18, 2003The Microsoft Security Update Newsletter for home users
and small businesses provides information on security-related updates to Microsoft(R) products, as well as virus alerts and resources for more information on security issues.
__________________________________________________
SECURITY BULLETIN
Please review Microsoft Security Bulletin MS03-047: Security Update for Microsoft Windows(R)WHY WE ARE ISSUING THIS UPDATE
A security issue has been identified that could allow an attacker to remotely compromise a computer running Microsoft Windows and gain complete control over it. You can help protect your computer by installing this update from Microsoft.PRODUCTS AFFECTED
Windows 98
Windows ME
Windows NT(R) 4.0
Windows 2000
Windows XP
Windows Server(TM) 2003Attachment: MS03-047.exe (12904 bytes)
-
The attachment is really a .ZIP file named as .EXE and probably won't execute as distributed
-
If the attached file is saved and renamed to a .ZIP extension then extracted, an embedded binary would result as "ms03-047.exe" dated October 19, 2003 with a file size of 14880 bytes
-
If that file is extracted or run, it might install itself to the local system as "autoupdate.exe" into the undefinedWindowsundefined\System32 folder, and then modify the registry to load at Windows update -
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
"windowsupdate" = autoupdate.exe w
-
The Trojan will create a Mutex in memory called "mwinamplite" and attempt to connect to an IRC server at the web address "itc.ourmoney.pp.ru" (IP 69.10.144.208) using TCP port 31337
-
When it connects, it will await instructions from a hacker or group of hackers
Recommended Action
- Block access to TCP port 31337
- Block outbound access (INT -> EXT) to the IP
address 69.10.144.208
