Troj/Sdbot-BX

Please follow the instructions for removing Trojans.

You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\ Run\
Postfix patch = %SYSTEM%\ngfqes.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\ RunServices\
Postfix patch = %SYSTEM%\ngfqes.exe

and delete them if they exist

Close the registry editor.

Troj/Sdbot-BX is a backdoor Trojan which allows a remote intruder to gain access and control over the computer via IRC channels.

When first run Troj/Sdbot-BX copies itself to the Windows System folder as ngfqes.exe and creates the following registry entries, so that ngfqes.exe is run automatically each time Windows is started:

HKLM\Software\Microsoft\Windows\CurrentVersion\ Run\
Postfix patch = %SYSTEM%\ngfqes.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\ RunServices\
Postfix patch = %SYSTEM%\ngfqes.exe

Each time the Trojan is run it tries to connect to an IRC server and join a specific channel. The Trojan then runs continuously in the background as a service process, listening on the IRC channel for specific commands and carrying out the appropriate actions.

Troj/SdBot-BX may arrive as part of a self-extracting archive which drops both Troj/Sdbot-BX and Troj/Ranck-C to the Windows System folder and then runs them (see also the description for Troj/Ranck-C).