Lazy trojan?

Some guy I thought was better than this sent me some stuff infected with "Backdoor.SdBot.05.gen", how can I figure out how that trojan is configured or if it's an infected file at all? I remember seeing some apps which just stripped all the configureation settings from the awsome sub7/netbus trojans, but I dunno about SdBot (and before anyone jumps up and start screaming, that stuff up there was irony). And how about just asking him? Well, believe me I will ask whenever I get the hold of him again..

Anyway, I've tried to monitor packets and registery changes. Which resulted in nothing, nothing at all.

Any help would be appreciated.

An SDBOT/SGBOT are irc trojan bots mainly used for DoS attacks, and sometimes even possible to obtain passwords. Below is an attachment which will give you an example of one of these bots.

NOTE: I have stripped the actual bot from the attachment below, leaving just the documentation. I dont want to have people download the actual bot due to me :D
This attachment is an actual command reference for a SDBOT, so it will give you the ideas of its capabilities. Once the bot is configured, its compiled into an .exe file. Source code is NOT included here!

Cheers.

Yeah I knew it was an irc trojan bot, and that it's compiled into .exe's (trojan itself is 17kb or something). Sourcecode is far from interesting here, I just wanted to know what this fella wanted his trojan to do. I consider myself pretty secure here, so the trojan wouldn't really work anyway as all traffic is routed to nowhere.

Oh well, guess he can explain himself better than anyone here, thanks anyway :)

Well, one way of finding out is by using a packer sniffer, and sniffing all packets as what goes where, or what comes from where, including the commands issued itself. Ethereal might be your friend in this case. Also using netstat might be neat, since it will tell you where the bot is connected too (which irc server for example). There are many ways to filter out where these people are, and what they are actually doing. A good configured firewall is helpful here. At the time when this version of the bot came out (the one in my attachment), no AV could pick it up. Thats about a year old now. Dont rely on AVs for that. The newest versions of these bots might still be invisible to AV scanners or other spyware tools.

A lil rule of thumb here. Never think your safe, as it would lead to lack of security. Be paranoid.

Cheers.

Hehe, I'm very paranoid, but after a week with having it running on a PI 133MHz without seeing any traffic at all, I'm.. Kinda getting the feeling this is some kinda hoax. Perhaps that trojan scanner is messing with me. And yea, that's ethereal running trough the whole week, shoulda picked up something if it was a trojan..

not necessarily -- if the trojan has a timebomb where it will activate on a certain date, or has to be enabled by some remote command through a backdoor it opens then it wouldn't show any traffic

Ok, I'll just leave it running and log everything that goes on then. After all it's interesting seeing what he was thinking of doing, and, well, he can just mess as much as he wants with the old computer which anyway isn't doing anything. But if he goes to doing something malicous which he knows I'd hate then, well. Atleast I will know.

Gah, been looking trough the source, and.. What a waste...

so.
Do anyone know of any ways to get some info from this trojan? It doesn't do anything atm, so I can't even see where it is supposed to connect to for commands. It would be fun compiling some kinda "honeypot" which responds to his commands with questioning what he's doing on my computer without asking me for permission. :)

I have both .exe's (before and after melting), and, well.. It seems like it runs the standard syscfg32.exe registery startup, should be a sign telling he haven't altered the trojan too much.