high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Protection available since | 12 September 2005 13:42:13 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Sdbot-ACZ is a worm and IRC backdoor Trojan for the Windows platform.
W32/Sdbot-ACZ attempts to spread via network shares with weak passwords or by exploiting vulnerabilities including LSASS (MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049), WINS (MS04-045) and MSSQL (MS02-039).
W32/Sdbot-ACZ runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
The worm may modify the system HOSTS file in order to prevent access to certain websites.
The worm drops a file detected as Troj/NtRootK-F. W32/Sdbot-ACZ is a worm and IRC backdoor Trojan for the Windows platform.
W32/Sdbot-ACZ attempts to spread via network shares with weak passwords or by exploiting vulnerabilities including LSASS (MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049), WINS (MS04-045) and MSSQL (MS02-039).
W32/Sdbot-ACZ runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
The worm may modify the system HOSTS file in order to prevent access to certain websites.
When first run W32/Sdbot-ACZ copies itself to <System>\plou.exe and creates the file msdirectx.sys.
The file msdirectx.sys is detected as Troj/NtRootK-F.
The following registry entries are created to run plou.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Windows Virus Control
plou.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Virus Control
plou.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
Windows Virus Control
plou.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Windows Virus Control
plou.exe
W32/Sdbot-ACZ sets the following registry entries, disabling the automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4
Note: disabling autostart for the SharedAccess service deactivates the Microsoft Internet Connection Firewall (ICF). See: "To enable or disable Internet Connection Firewall" in the Microsoft Help and Support. The SharedAccess service is also responsible for Internet Connection Sharing (ICS).
Registry entries are set as follows:
HKCU\SYSTEM\CurrentControlSet\Control\Lsa
Windows Virus Control
plou.exe
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
Windows Virus Control
plou.exe
HKCU\Software\Microsoft\OLE
Windows Virus Control
plou.exe
HKLM\SOFTWARE\Microsoft\Ole
Windows Virus Control
plou.exe
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
|
