W32/Sdbot-ZR is a network worm with backdoor Trojan functionality for the Windows platform.
When first run, W32/Sdbot-ZR copies itself to the Windows system folder as newdll.exe and creates the following registry entries in order to run each time a user logs on:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Windows DLL Services Configuration
"newdll.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Microsoft Windows DLL Services Configuration
"newdll.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Windows DLL Services Configuration
"newdll.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
Microsoft Windows DLL Services Configuration
"newdll.exe"
The worm spreads through network shares protected by weak passwords, MS-SQL servers and through various operating system vulnerabilities. Note that when spreading through networks, W32/Sdbot-ZR uses the filename botexe.exe. The botexe.exe file is a bundled file containing both the Sdbot components and W32/Kelvir-AP.
W32/Sdbot-ZR connects to a predetermined IRC channel and awaits further commands from remote users. The backdoor component of W32/Sdbot-ZR can be instructed to perform the following functions:
scan networks for vulnerabilities
download/execute arbitrary files
start an ftp server
Patches for the vulnerabilities exploited by W32/Sdbot-ZR can be obtained from Microsoft at:
MS02-039
MS04-011
MS04-012