W32/Sdbot-WX is a network worm with backdoor Trojan functionality for the Windows platform.
When first run, W32/Sdbot-WX copies itself to the Windows system folder as lsauth.exe and creates the following registry entries in order to run each time a user logs on:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Computing Technologie Firewall
"lsauth.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Computing Technologie Firewall
"lsauth.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Computing Technologie Firewall
"lsauth.exe"
The worm spreads through network shares protected by weak passwords, MS-SQL servers and through various operating system vulnerabilities.
W32/Sdbot-WX connects to a predetermined IRC channel and awaits further commands from remote users. The backdoor component of W32/Sdbot-WX can be instructed to perform the following functions:
scan networks for vulnerabilities
download/execute arbitrary files
start an ftp server
Patches for the vulnerabilities exploited by W32/Sdbot-WX can be obtained from Microsoft at:
http://www.microsoft.com/technet/security/bulletin/MS02-039.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx