Acebot 6667

· Overview ·
· Origins ·
· Operation ·
· Detection and Removal ·
· Research ·

Overview

Summary:

 Connects to either a Dalnet or EFnet IRC server on port 6667. On Dalnet it was observed to enter channel #m@%n&-*| with key 'keyz'. The nickname, username and real name all apear to be random and independant of each other. When run, expands to c:\WINDOWS\SYSTEM\kernel32.exe. Writes to the registry in two places: 1. [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] as 'KERNEL32'='kernel32.exe' (Possibly related was: 'WHVLXD'='C:\\WINDOWS\\FONTS\\WHVLXD.exe' in the same section of the registry.) 2. [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices] as 'KERNEL32'='kernel32.exe'

Alias:

 Backdoor Program [Panda], Backdoor.SdBot.05.w [Kaspersky], IRC-Sdbot [McAfee], packed: PE_Patch [Kaspersky], security risk or a "backdoor" program [F-Prot], Win32.Sdbot.G [Computer Associates], Win32/Gnu!Trojan [Computer Associates], Win32/IRC.SdBot.05.W trojan [Eset]

Category:

Backdoor: A secret or undocumented means of getting into a computer system, or software that uses such a means to penetrate a system. Some software has a backdoor placed by the programmer to allow them to gain access to troubleshoot or change the program. Software that is classified as a "backdoor" is designed to exploit a vulnerability in a system, and open it to future access by an attacker.

Trojan: Any program with a hidden intent. Trojans are one of the leading causes of breaking into machines. If you pull down a program from a chat room, new group, or even from unsolicited e-mail, then the program is likely trojaned with some subversive purpose. The word Trojan can be used as a verb: To trojan a program is to add subversive functionality to an existing program. For example, a trojaned login program might be programmed to accept a certain password for any user's account that the hacker can use to log back into the system at any time. Rootkits often contain a suite of such trojaned programs.

Similar Pests:

 Backdoor · Trojan

Origins

Date of Origin:

 November, 2003

Operation

Storage Required:
  • Acebot 6667: at least 17 KB
    		•

    Detection and Removal

    Automatic Removal:

    PestPatrol detects this.

    PestPatrol removes this.

    Manual Removal:

    		 Follow these steps to remove Acebot 6667 from your machine. Begin by backing up your registry and your system, and/or setting a Restore Point, to prevent trouble if you make a mistake.
    Stop Running Processes:

    Kill these running processes with Task Manager:

    Remove Files:

    Remove these files (if present) with Windows Explorer:

    Research

    File Analyses:

    More Info:
  • AllTheWeb, AltaVista, AOL Search, Ask Jeeves, Google, HotBot, Lycos, LookSmart, MSN, Yahoo!
    		•

    Research By:
  • PestPatrol's Pest Research Center
    		•

    Last Revised:

    		 February 24, 2005