W32/Sdbot-TE is a Windows worm that spreads via network shares with weak passwords. When run the worm creates backdoor functions that allow a remote intruder access into the computer via IRC channels while running in the background as a process.
The worm also copies itself to the the Windows System folder with the filename saskatcw.exe.
W32/Sdbot-TE creates the following registry entries so as to run itself on user logon:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Syntax Script
saskatcw.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Syntax Script
saskatcw.exe
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Syntax Script
saskatcw.exe
The worm also attempts to copy gahztil.exe to network shares.
When instructed by a remote attacker, W32/Sdbot-TE attempts to download files from the internet and run them.
Sophos's anti-virus products include proactive protection technology, which can defend against new threats without requiring an update. Sophos customers have been protected against W32/Sdbot-TE (detected as W32/Sdbot-Fam) since version 3.89.