Ha bisogno di assistenza? Chieda alla community oppure consulti un esperto.
Vai ad Avira Answers
Date discovered:12/10/2010
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low to medium
Damage Potential:Low to medium
Static file:Yes
File size:81.920 Bytes
MD5 checksum:1F8CD13341245588FC97E8F05C551E7E
VDF version:
IVDF version:

 General Method of propagation:
   • Autorun feature

   •  Symantec: Backdoor.Sdbot
   •  Kaspersky: Trojan.Win32.Jorik.SdBot.fb
   •  TrendMicro: TROJ_JORIK.CIB
   •  Sophos: W32/SdBot-DPL
   •  Panda: Bck/Ircbot.CZZ

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows 7

Side effects:
   • Drops files
   • Lowers security settings
   • Registry modification

 Files It copies itself to the following location:
   • %WINDIR%\oldbin.exe

 Registry One of the following values is added in order to run the process after reboot:

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Ci Servs"="oldbin.exe"

 P2P In order to infect other systems in the Peer to Peer network community the following action is performed:   It searches for directories that contain the following substring:
   • emule\incoming

 IRC – Furthermore it has the ability to perform actions such as:
    • connect to IRC server
    • Join IRC channel
    • Leave IRC channel

 Miscellaneous Internet connection:
In order to check for its internet connection the following DNS server is contacted:
   • nice.niceshot.in

Anti debugging
It checks for running programs that contain one of the following strings:
   • tcpview
   • filemon
   • procmon

 File details Programming language:
The malware program was written in MS Visual C++.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Descrizione inserita da Andrei Ilie su martedì 22 marzo 2011
Descrizione aggiornata da Andrei Ilie su mercoledì 23 marzo 2011

Indietro . . . .