ID	220231
Released	May 07, 2006
Description Updated	Jun 07, 2007

Detection Availability

FortiGate
Extended
FortiClient
FortiMail
FortiSandbox
FortiWeb
Web Application Firewall
FortiIsolator
FortiDeceptor
FortiEDR

Threat Profile

Aliases:

Backdoor.Win32.SdBot.gen
W32/Sdbot.worm.gen
W32/Sdbot-Fam
WORM_SDBOT.EQR
W32/Sdbot.WDS
Backdoor.SDBot.AAZA
IRC/SdBot
W32/Sdbot.JJP.worm
IRC/BackDoor.SdBot
Backdoor.SdBot.gen
WORM/Sdbot.34816.27
BackDoor.IRC.Sdbot.based

Platform: W32

Win32 file format / PE 32 bit

Type: Worm (worm)

Update History

Date	Version	Detail
2023-05-09	91.03106
2023-04-25	91.02686
2023-03-28	91.01840
2023-03-25	91.01756
2023-03-21	91.01630
2023-03-14	91.01431
2023-03-14	91.01420
2023-02-22	91.00807
2023-02-21	91.00794
2023-02-16	91.00651

Refine Search

Threat Encyclopedia

W32/SDBot.1!worm

Analysis

Copies itself to the System folder as update.exe.
Registry Modification
Adds the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Configuration Loader = "update.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Configuration Loader = "update.exe"

Other Behavior
Connects to the one of the following Internet Relay Chat (IRC) servers:
- irc.undernet.org
- LosAngeles.CA.US.Undernet.org
- Oslo1.NO.EU.undernet.org
on one of the following channels:
- #DRX-ARMY
- #DRX-ARMY2
When connected, it listens for commands that allow the remote attacker to perform any of the following actions:
- Download files
- Send UPD, ICMP, and SYN packets to specified servers
- Send information such as the following:
  - CPU type
  - Total RAM
  - Available RAM
  - OS version
  - User name

Recommended Action

FortiGate Systems

Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the 'Allow Push Update' option.
FortiClient Systems
Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry