Skip navigation.
Home

Worm.Sedoubot.A

I have uploaded a sample of this Backdoor.
md5sum: a1d74a9027b8e81b6f2296112144517c

Below is a short description:
When it's executed, the malware will create a file named rdihost.dll in %Windir%\System32 folder and it will inject it in explorer.exe process.
It will create an own copy as an archive in %windir% folder, named "photo album.zip"
Then it will connect to an IRC channel on www.fre[blocked]e8.biz and will wait for commands from a malicious attacker. The connection string is "lol lol lol :shadowbot2"
Based on those commands the Security Center and SharedAccess services can be stopped. Also it can download and execute files or it can attack other computers.

There are a few things that I've ommited in order not to spoil the whole fun :)

hey thanks

for the sample upload and the short analysis. We make it a habit of not ommiting anything from our analysis so if your comfortable with that, feel free to provide all details possible.

thanks again!

V.

more details

If someone wants to try and run this in VM to get more information about the network traffic and file properties great, but here's some more info for people that want it.

It tries to connect to
www.free8.biz (91.121.20.160) on port 8080/tcp

IP Information 91.121.20.160
Record Type: IP Address
IP Location: France France - Ovh Sas
Reverse DNS: ns24245.ovh.net
Blacklist Status: Clear

where it tries to connect via IRC to:
Channel or user: "lol lol lol :shadowbot2"
then sends a PRIVMSG and NOTICE to: ".imstart" with some victim information about uptime
Other users/channels: "skysyn" and "msnfuck"

Mutex on victim: "suckmydick:pomgfuckingstupidgay!!!"

There also seems to be another file downloaded (from the IRC channel?) with an MD5
hash: e5d972968afa2721d683b61a0d237b54

Other things of interest:
- It seems to use "Protected Storage" space to hide it's IRC credentials
- Runs with System level privs by identifying the "user" of Explorer.exe