Threat Information for "BackDoor.IRC.Sdbot.496"

Removal Top

StopSign will automatically remove this infection with a paid membership.

Summary Top
  • Name: BackDoor.IRC.Sdbot.496
  • Aliases:
  • Date Discovered: 2006-11-03
  • Protection Added: 2006-11-10
Description Top 
-- Ease of Removal

1: Uses running processes
2: Runs as a service
3: Consistently named
4: Consistent file contents
5: Creates new registry entries with consistent data

-- Privacy Risks/Security Changes

1: Opens backdoors
2: Mimics legitimate file names

-- Damage/Intrusion/Annoyance

1: Significantly slows down the computer
2: Creates new files
3: Downloads other threats

-- Propagation/Saturation

1: Infects from a link in an email
2: Infects from an email attachment
3: Installed by other infections
Technical Details Top
  • Added Directory/File:
    FilePath: %SYSTEMDIR%\rdriv.sys
  • Added Directory/File:
    FilePath: %WINDIR%\*.* MD5: eb6f41b9b17158fa1b765aa9cb3f36a0
  • Added Registry Key:
    Key: HKLM\SYSTEM\CurrentControlSet\Services\MicroSoft Media Tools
  • Added Registry Key:
    Key: HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MICROSOFT_MEDIA_TOOLS
  • Added Registry Key:
    Key: HKLM\SYSTEM\CurrentControlSet\Services\rdriv
  • Added Registry Key:
    Key: HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RDRIV
  • Added Registry Value:
    Key: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate Value: DoNotAllowXPSP2
  • Added Registry Value:
    Key: HKLM\SOFTWARE\Microsoft\Security Center Value: UpdatesDisableNotify
  • Added Registry Value:
    Key: HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters Value: AutoShareWks
  • Added Registry Value:
    Key: HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters Value: AutoShareWks
  • Added Registry Value:
    Key: HKLM\SOFTWARE\Microsoft\Security Center Value: AntiVirusOverride
  • Added Registry Value:
    Key: HKLM\SOFTWARE\Microsoft\Security Center Value: AntiVirusDisableNotify
  • Added Registry Value:
    Key: HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters Value: AutoShareServer
  • Added Registry Value:
    Key: HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters Value: AutoShareServer
  • Added Registry Value:
    Key: HKLM\SOFTWARE\Microsoft\Security Center Value: FirewallOverride
  • Added Registry Value:
    Key: HKLM\SOFTWARE\Microsoft\Security Center Value: FirewallDisableNotify