W32/Sdbot-ZG is a network worm with backdoor Trojan functionality for the Windows platform.
When first run, W32/Sdbot-ZG copies itself to the Windows system folder as winDSL.exe and creates the following registry entries in order to run each time a user logs on:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Windows DLL Services Configuration
"winDSL.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Microsoft Windows DLL Services Configuration
"winDSL.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
Microsoft Windows DLL Services Configuration
"winDSL.exe"
The worm spreads through network shares protected by weak passwords, MS-SQL servers and through various operating system vulnerabilities. When the worm spreads through networks, the filename botexe.exe is used. The botexe.exe file is a bundled EXE containing both W32/Sdbot-ZG and W32/Kelvir-AF.
W32/Sdbot-ZG connects to a predetermined IRC channel and awaits further commands from remote users. The backdoor component of W32/Sdbot-ZG can be instructed to perform the following functions:
scan networks for vulnerabilities
download/execute arbitrary files
start an ftp server
Patches for the vulnerabilities exploited by W32/Sdbot-ZG can be obtained from Microsoft at:
http://www.microsoft.com/technet/security/bulletin/MS02-039.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx
Sophos's anti-virus products include Genotype ™ detection technology, which can proactively protect against new threats without requiring an update. Sophos customers have been protected against W32/Sdbot-ZG (detected as W32/Sdbot-Fam) since version 3.92.