Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:DR/Sdbot.150826
Date discovered:11/10/2006
Type:Dropper
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:150.826 Bytes
MD5 checksum:b22951090698cbb0ae863704ec7b57e8
VDF version:6.35.01.196
IVDF version:6.35.01.200 - Friday, September 8, 2006

 General Method of propagation:
   • No own spreading routine


Alias:
   •  TrendMicro: TROJ_MULTIDRP.EW


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops malicious files
   • Registry modification

 Files  It creates the following directory:
   • c:\winnt\system32



The following files are created:

– c:\winnt\system32\hydroco.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: TR/Proxy.Ranky.FX

– c:\winnt\system32\inflamt.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: WORM/IRCBot.31392

 Registry The following registry key is added:

– [HKCU\Software\WinRAR SFX]
   • "C%%WINNT%SYSTEM32%"="%SYSDIR%\"

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Monica Ghitun on Wednesday, October 11, 2006
Description updated by Andrei Ivanes on Friday, October 27, 2006

Back . . . .