Aliases: W32/Sdbot.worm, W32/Sdbot.worm.gen, W32/Sdbot.worm.gen.b
Variants: Worm:Win32/Slenfbot.OG, W32.HLLW.Donk

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: South America, Europe, Asia
Removal: Easy
Platform: W32
Discovered: 14 Sep 2007
Damage: Medium

Characteristics: Designed to exploit the functionalities of the Instant Messaging service of the operating system, this malware scans for the presence of a specific Instant Messaging client and uses it as a transport mechanism for spreading its infections. Contacts in the list of the Instant Messaging client are potential targets of the W32.Mimbot.B infection. It will open an unsecured backdoor component to allow the remote attacker unobstructed access to the infected computer system.

More details about W32.Mimbot.B

The W32.Mimbot.B will drop a compressed file using the ZIP format into the directory of the operating system. It will also place a Dynamic Link Library file component into the subfolder of the operating system directory. The W32.Mimbot.B will generate a corresponding Windows Registry key value that will load it into the system memory of running applications. The Windows Registry will also be used by the malware to create a subkey into the Classes category where a component of the malware will be placed. After successfully modifying the system registry the W32.Mimbot.B will use the TCP port 81 to initiate its backdoor component. The backdoor feature of the Worm is activated by connecting to predetermined Internet Relay Chat servers.

The backdoor component of the W32.Mimbot.B serves as the bridge between the remote attacker and the compromised computer system. When opened this will facilitate the downloading and arbitrary execution of files in the infected machine. These files may be code updates for the W32.Mimbot.B or other potentially dangerous codes. A Flush DNS command may be issued remotely to clear the Domain Name Server cache in the host machine. The W32.Mimbot.B backdoor component will also allow the remote attacker to take control of the Instant Messaging client as if he was in front of the hijacked machine.