SdBot.XV

Category: Trojan

Risk: Severe Risk

* Severe threats typically are remotely exploitable vulnerabilities, which can lead to system compromise. Successful exploitation does not normally require any interaction and exploits are in the wild. There exists a high possibility of potential system damage or security flaw. Attacker has complete control over your computer or install new software on your machine.

Description: SDBot is the name of a family of remote access tools, also known as backdoors or worms, used by hackers to control a machine without the owner's knowledge. SdBot.XV is a network worm with backdoor Trojan functionality for the Windows platform. When first run, SdBot.XV copies itself to the Windows system folder as mskev.exe and creates the following registry entries in order to run each time a user logs on: HKLM\System\CurrentControlSet\Control\Lsa Windows kev Messenger mskev.exe HKLM\Software\Microsoft\Ole Windows kev Messenger mskev.exe HKLM\Software\Microsoft\Windows\CurrentVersion\Run Windows kev Messenger mskev.exe HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce Windows kev Messenger mskev.exe HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices Windows kev Messenger mskev.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Run Windows kev Messenger mskev.exe HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices Windows kev Messenger mskev.exe The worm spreads through network shares protected by weak passwords and through various operating system vulnerabilities. SdBot.XV connects to a predetermined IRC channel and awaits further commands from remote users.

Alias: W32/Sdbot-XV

Signatures:
process: mskev.exe: MD5 Hash: f7113d9b526af011c80
process: mskev.exe: MD5 Hash: a439ee6370ee4a05b4d..