W32/Sdbot-WD is a network worm with backdoor functionality for the Windows platform.
W32/Sdbot-WD is capable of spreading to computers on the local network protected by weak passwords after receiving the appropriate backdoor command.
W32/Sdbot-WD will also attempt to spread by exploiting the following vulnerabilities:
DCOM (MS04-012)
LSASS (MS04-011)
Workstation service (MS03-049)
Microsoft SQL Server 2000 (pre service pack 3) (CAN-2003-1030)
Microsoft SQL servers with weak passwords
When first run, W32/Sdbot-WD moves itself to the Windows system folder as F1REWALLS.EXE. In order to run automatically each time a user logs on, W32/Sdbot-WD will set the following registry entries:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Compaq Drivers
F1rewalls.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
Compaq Drivers
F1rewalls.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Compaq Drivers
F1rewalls.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Compaq Drivers
F1rewalls.exe
W32/Sdbot-WD will attempt to stealth itself by dropping and running a file named MSDIRECTX.SYS. This file runs as a service named "msdirectx" and is detected as Troj/NtRootK-F.
W32/Sdbot-WD will drop and open an HTML file named S.HTML to the C drive. When opened, this file will run remote JavaScript files that may attempt to download adware and other executable files.
W32/Sdbot-WD runs continuously in the background, providing backdoor access to the infected computer over IRC channels.
W32/Sdbot-WD will modify the following registry entries in order to disable DCOM and close restrictions on IPC$ shares:
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
W32/Sdbot-WD will also set the following registry entries:
HKCU\SYSTEM\CurrentControlSet\Control\Lsa
Compaq Drivers
F1rewalls.exe
HKCU\Software\Microsoft\OLE
Compaq Drivers
F1rewalls.exe
W32/Sdbot-WD will attempt to disable the Windows Internet Connection Firewall, Automatic Updates and Security Center by modifying the following registry entries:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Start
HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\Start
HKLM\SYSTEM\CurrentControlSet\Services\wscsv\Start
W32/Sdbot-WD can add and delete network shares and users on the infected computer.
W32/Sdbot-WD may modify the HOSTS file found in the <Windows system folder>\driver\etc folder in order to deny access to certain anti-virus websites. For example,
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
W32/Sdbot-WD will attempt to terminate a large number of security and anti-virus related processes.