W32/Sdbot-DJT is a worm with backdoor functionality which allows a remote intruder to gain access and control over the computer.
W32/Sdbot-DJT spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: ASN.1 (MS04-007). The worm may also spreads via network shares protected by weak passwords.
W32/Sdbot-DJT runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
W32/Sdbot-DJT includes functionality to:
- scan networks for vulnerabilities
- download/execute arbitrary files
- start an ftp server
- start a Proxy server
- set or remove network shares
- port scanning
- steal product registration information from certain software
- steal passwords/login information for email and chat programs
When first run W32/Sdbot-DJT copies itself to <System>\FreeS3x.exe.
The following registry entries are created to run FreeS3x.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MicroSoft OneCare
FreeS3x.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
MicroSoft OneCare
FreeS3x.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MicroSoft OneCare
FreeS3x.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
MicroSoft OneCare
FreeS3x.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
MicroSoft OneCare
FreeS3x.exe
The file FreeS3x.exe is registered as a new file system driver service named "onecare.microsoft.com", with a display name of "MicroSoft OneCare". Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\onecare.microsoft.com