W32/Sdbot-CWO

Category: Viruses and Spyware Protection available since:06 Jan 2007 00:00:00 (GMT)
Type: Win32 worm Last Updated:06 Jan 2007 00:00:00 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Sdbot-CWO is a network worm with IRC backdoor functionality.

W32/Sdbot-CWO spreads by exploiting common network vulnerabilities.

W32/Sdbot-CWO allows a remote attacker to gain access and control over the infected computer using IRC channels. W32/Sdbot-CWO is a network worm with IRC backdoor functionality.

W32/Sdbot-CWO spreads by exploiting common network vulnerabilities.

W32/Sdbot-CWO allows a remote attacker to gain access and control over the infected computer using IRC channels.

When first run, W32/Sdbot-CWO copies itself to <System>\adv32.exe and creates the following registry entries in order to be run automatically:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Office Monitor
<System>\adv32.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Office Monitor
<System>\adv32.exe

W32/Sdbot-CWO sets the following registry entries in order to secure the infected computer against further exploits:

HKLM\SOFTWARE\Microsoft\Ole\
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
restrictanonymous
1

download Try Sophos products for free
Download now

© 1997 - 2012 Sophos Ltd. All rights reserved. Legal Privacy