McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Backdoor.SdBot.gen (AVP)

• Backdoor/IRC.SdBot (RAV)

• Mindjail

• W32.HLLW.Cult.C@mm (Symantec)

Characteristics

There are numerous variants of this trojan so this description is only a guide. The trojan source code has been released on various websites. Newer variants require the latest, and in some cases the upcoming, DAT release for detection and removal.

--Update May 07, 2003--
A new variant of this threat has been seen in a large number of email messages. This variant is detected with the 4249 DAT files (and higher) and 4.2.40 engine as IRC-Sdbot. AVERT has received a handful of samples of this variant. When this trojan receives the appropriate command, via IRC, it attempts to SPAM itself using the following email message (note: this is not worm functionality as someone must manually send a mailing command to all of the IRC-Sdbot drones):

Subject: Hi, I sent you an eCard from BlueMountain.com
Body: To view your eCard, open the attachment

If you have any comments or questions, please visit http://www.bluemountain.com/customer/index.pd

Thanks for using BlueMountain.com.

Attachment: BlueMountaineCard.pif

When the attachment is run, the virus infects the local system. It copies itself to the WINDOWS SYSTEM (%SysDir%) directory as iexplorer.exe and creates a registry run key to load the worm at startup:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  Run "sysconfig" = iexplorer.exe

----- End Update -----

This trojan connects to an IRC channel and accepts commands from there. The commands are related to performing denial of service attacks and downloading and running files on the victim's computer.

This was first added in the 4186 DATs, but newer variants require the latest DAT and engine files.

Symptoms

- Registry key or file mentioned above
- Unexpected traffic on TCP port 6667

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc. This trojan is also known to be bundled with many different worms.

Removal

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Variants

Variants

• Backdoor-AHI

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Backdoor.SdBot.gen (AVP)

• Backdoor/IRC.SdBot (RAV)

• Mindjail

• W32.HLLW.Cult.C@mm (Symantec)

Characteristics

Characteristics -

There are numerous variants of this trojan so this description is only a guide. The trojan source code has been released on various websites. Newer variants require the latest, and in some cases the upcoming, DAT release for detection and removal.

--Update May 07, 2003--
A new variant of this threat has been seen in a large number of email messages. This variant is detected with the 4249 DAT files (and higher) and 4.2.40 engine as IRC-Sdbot. AVERT has received a handful of samples of this variant. When this trojan receives the appropriate command, via IRC, it attempts to SPAM itself using the following email message (note: this is not worm functionality as someone must manually send a mailing command to all of the IRC-Sdbot drones):

Subject: Hi, I sent you an eCard from BlueMountain.com
Body: To view your eCard, open the attachment

If you have any comments or questions, please visit http://www.bluemountain.com/customer/index.pd

Thanks for using BlueMountain.com.

Attachment: BlueMountaineCard.pif

When the attachment is run, the virus infects the local system. It copies itself to the WINDOWS SYSTEM (%SysDir%) directory as iexplorer.exe and creates a registry run key to load the worm at startup:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  Run "sysconfig" = iexplorer.exe

----- End Update -----

This trojan connects to an IRC channel and accepts commands from there. The commands are related to performing denial of service attacks and downloading and running files on the victim's computer.

This was first added in the 4186 DATs, but newer variants require the latest DAT and engine files.

Symptoms

Symptoms -

- Registry key or file mentioned above
- Unexpected traffic on TCP port 6667

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc. This trojan is also known to be bundled with many different worms.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Variants

Variants -

• Backdoor-AHI