W32/Sdbot-WN is a worm with backdoor Trojan functionality.
W32/Sdbot-WN spreads to computers on the local network protected by weak passwords.
W32/Sdbot-WN is a worm with backdoor Trojan functionality.
W32/Sdbot-WN spreads to computers on the local network protected by weak passwords.
When first run, W32/Sdbot-WN copies itself to the Windows system folder as WINAMP62.EXE and runs this copy of the worm. In order to run each time a user logs on, W32/Sdbot-WN will set the following registry entries:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
WinAMP
winamp62.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
WinAMP
winamp62.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
WinAMP
winamp62.exe
The worm runs continuously in the background providing backdoor access to the infected computer over IRC channels.
The backdoor component can be used to:
Initiate distributed denial-of-service (DDoS) attacks.
Redirect TCP and SOCKS traffic.
Steal product keys from popular games.
Delete the C$, D$, IPC$ and ADMIN$ shares.
Port scan other computers.
Download and run executable files.
Send emails as specified by the remote user.
W32/Sdbot-WN can alter the following registry entry in order to enable/disable DCOM:
HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM