W32/Sdbot-QH is a network worm with backdoor functionality for the Windows 2000 and Windows XP platforms.
W32/Sdbot-QH spreads to network shares with weak passwords and by exploiting the LSASS and DCOM security vulnerabilities as a result of the backdoor Trojan element receiving the appropriate command from a remote user through an IRC channel.
W32/Sdbot-QH is a network worm with backdoor functionality for the Windows 2000 and Windows XP platforms.
W32/Sdbot-QH spreads to network shares with weak passwords and by exploiting the LSASS and DCOM security vulnerabilities as a result of the backdoor Trojan element receiving the appropriate command from a remote user through an IRC channel.
When excuted W32/Sdbot-QH copies itself to the Windows system folder with the filename msfirewall.exe and, in order to run automatically when Windows starts up, sets the following registry entries with the path to the copy:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MS FIREWALL
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\MS FIREWALL
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MS FIREWALL
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices\MS FIREWALL
As a part of its payload W32/Sdbot-QH attempts to delete network shares on the host computer and values of the following registry entries:
HKLM\SYSTEM\CurrentControlSet\Services\Share\Start
HKLM\SYSTEM\CurrentControlSet\Services\wuaus\Start
HKLM\SYSTEM\CurrentControlSet\Services\wscsv\Start
W32/Sdbot-QH drops a file called MSDIRECTX.SYS to the current folder which is detected as Troj/NtRootK-F.
W32/Sdbot-QH runs this file as a Kernel Driver called MSDIRECTX in order hide itself from certain monitoring programs, including Task Manager.