W32/Sdbot-ACG is a worm for the Windows platform.
W32/Sdbot-ACG spreads to other network computers by exploiting common buffer overflow vulnerabilities, including PnP (MS05-039) and LSASS (MS04-011).
W32/Sdbot-ACG runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
W32/Sdbot-ACG includes functionality to:
- steal confidential information
- carry out DDoS flooder attacks
- silently download, install and run new software
- inject itself into the Windows explorer process to stealth itself
When first run W32/Sdbot-ACG copies itself to <System>\mousebm.exe.
The file mousebm.exe is registered as a new system driver service named "mousebm", with a display name of "Mouse Button Monitor" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\mousebm\
W32/Sdbot-ACG creates the file <Windows>\Debug\dcpromo.log which can be deleted.
Registry entries are set as follows:
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
n
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
The following patches for the operating system vulnerabilities exploited by W32/Sdbot-ACG can be obtained from the Microsoft website:
MS05-039
MS04-011