W32/Sdbot-UF is a worm with backdoor Trojan functionality.
W32/Sdbot-UF spreads to computers on the local network protected by weak passwords. W32/Sdbot-UF can spread to computers infected by the W32/MyDoom
family of worms.
When first run, W32/Sdbot-UF copies itself to the Windows system folder as WINAMP1.EXE and runs this copy of the worm. In order to run each time a user logs on, W32/Sdbot-UF will set the following registry entries:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft System
winamp1.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft System
winamp1.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Microsoft System
winamp1.exe
The worm runs continuously in the background providing backdoor access to the infected computer over IRC channels.
The backdoor component can be used to:
Initiate distributed denial-of-service (DDoS) attacks.
Redirect TCP and SOCKS traffic.
Send emails as specified by the remote user.
Steal product keys from popular games.
Delete the C$, D$, IPC$ and ADMIN$ shares.
Port scan other computers.
Download and run executable files.
W32/Sdbot-UF can alter the following registry entry in order to enable/disable DCOM:
HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM
Sophos's anti-virus products include proactive protection technology, which can defend against new threats without requiring an update. Sophos customers have been protected against W32/Sdbot-UF (detected as W32/Sdbot-Fam and W32/Sdbot-Gen) since version 3.88.