W32/Sdbot-AGL is a worm and IRC backdoor Trojan for the Windows platform.
W32/Sdbot-AGL spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: RPC-DCOM (MS04-012), PNP (MS05-039) and ASN.1 (MS04-007) and by copying itself to network shares protected by weak passwords.
W32/Sdbot-AGL runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
When first run W32/Sdbot-AGL copies itself to <Windows>\msmsgredss.exe.
The following registry entries are created to run msmsgredss.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Intec Service Drivers
msmsgredss.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Intec Service Drivers
msmsgredss.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
Intec Service Drivers
msmsgredss.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Intec Service Drivers
msmsgredss.exe
W32/Sdbot-AGL sets the following registry entries, disabling the automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4
Note: disabling autostart for the SharedAccess service deactivates the Microsoft Internet Connection Firewall (ICF).
Registry entries are set as follows:
HKCU\SYSTEM\CurrentControlSet\Control\Lsa
Intec Service Drivers
msmsgredss.exe
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
Intec Service Drivers
msmsgredss.exe
HKCU\Software\Microsoft\OLE
Intec Service Drivers
msmsgredss.exe
HKLM\SOFTWARE\Microsoft\Ole
Intec Service Drivers
msmsgredss.exe
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1