W32/SdBot-HP is a worm which attempts to spread to remote network shares. It
also contains backdoor Trojan functionality, allowing unauthorised remote access
to the infected computer via IRC channels while running in the background as a service process.
W32/SdBot-HP spreads to network shares with weak passwords as a result of
the backdoor Trojan element receiving the appropriate command from a remote
user.
W32/Sdbot-HP may also spread using the vulnerability in Microsoft RPC-DCOM
service similar to W32/Blaster-A.
W32/SdBot-HP copies itself to the Windows system folder as INETMAN.EXE
and COOL.EXE and creates entries in the registry at the following locations to
run itself on system startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Microsoft System Checkup = "inetman.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft System Checkup ="inetman.exe"
W32/SdBot-HP also sets the following registry entry to run SYSLOG32.EXE on
system startup, although the worm will not explicitly drop a file of that name:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
NT Logging Service ="syslog32.exe"
W32/SdBot-HP attempts to terminate several processes related to antivirus and
system security including the following:
NETLOGIN32.EXE
SPHINX.EXE
CCAPP.EXE
NAVAPW32.EXE
NAVW32.EXE
CFGWIZ.EXE
NAVAPSVC.EXE
PANDA
NAVWNT.EXE
NISUM.EXE
NAVWNT.EXE
RAV7
WEBSCANX.EXE
WFINDV32.EXE
mspatch.exe
winppr32.exe
dllhost.exe
tftpd.exe
ACKWIN32.EXE
APVXDWIN.EXE
AVCONSOL.EXE
AVE32.EXE
AVGCTRL.EXE
AVKSERV.EXE
AVNT.EXE
AVPM.EXE
AVPTC32.EXE
F-PROT.EXE
F-AGNT95.EXE
FINDVIRU.EXE
FP-WIN.EXE
CLEANER.EXE
CLEANER3.EXE
DVP95.EXE
IBMASN.EXE
SERV95.EXE
SCRSCAN.EXE
SCANPM.EXE
penis32.exe
MPFTRAY.EXE
N32SCANW.EXE
CFIAUDIT.EXE
CFINET.EXE
CFIADMIN.EXE
AVWUPD32.EXE
AVPUPD.EXE
PAVW.EXE
PAVSCHED.EXE
PAVCL.EXE
VSCAN40.EXE
SCAN32.EXE
WUPDMGR.EXE
QCONSOLE.EXE
LUALL.EXE
MSBLAST.EXE
_AVP32.EXE
_AVPM.EXE
AVP32.EXE
AVPCC.EXE
AVPM.EXE
AVP.EXE
IFACE.EXE
AVSCHED32.EXE
ANTS.EXE
ANTI-TROJAN.EXE
IAMAPP_EXEIAMSERV.EXE
FRW.EXE
BLACKICE.EXE
BLACKD.EXE
ZONEALARM.EXE
VSMON.EXE
WRCTRL.EXE
WRADMIN.EXE
WRCTRL.EXE
TCA.EXE
MOOLIVE.EXE
LOCKDOWN2000.EXE
VSHWIN32.EXE
VSECOMR.EXE
WEBSCANX.EXE
AVCONSOL.EXE
VSSTAT.EXE
ICLOAD95.EXE
ICMON.EXE
ICSUPP95.EXE
ICLOADNT.EXE
ICSUPPNT.EXE
ATUPDATER.EXE
AVWUPD32.EXE
AVPUPD.EXE
DRWEBUPW.EXE
NUPGRADE.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AVXQUAR.EXE
CFIAUDIT.EXE
MCUPDATE.EXE
NUPGRADE.EXE
OUTPOST.EXE
AVLTMAIN.EXE
ICSSUPPNT.EXE