W32/Sdbot-AGG

Please follow the instructions for removing worms.

W32/Sdbot-AGG is a worm and IRC backdoor Trojan for the Windows platform.

W32/Sdbot-AGG spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: WKS (MS03-049) (CAN-2003-0812) and ASN.1 (MS04-007).

W32/Sdbot-AGG runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

The following patches for the operating system vulnerabilities exploited by W32/Sdbot-AGG can be obtained from the Microsoft website:

MS03-049
MS04-007 W32/Sdbot-AGG is a worm and IRC backdoor Trojan for the Windows platform.

W32/Sdbot-AGG spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: WKS (MS03-049) (CAN-2003-0812) and ASN.1 (MS04-007).

W32/Sdbot-AGG runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

When first run W32/Sdbot-AGG copies itself to <System>\clsass32.exe.

The following registry entries are created to run clsass32.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Windows System32 Driver
clsass32.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows System32 Driver
clsass32.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
Windows System32 Driver
clsass32.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Windows System32 Driver
clsass32.exe

Registry entries are set as follows:

HKCU\SYSTEM\CurrentControlSet\Control\Lsa
Windows System32 Driver
clsass32.exe

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
Windows System32 Driver
clsass32.exe

HKCU\Software\Microsoft\OLE
Windows System32 Driver
clsass32.exe

HKLM\SOFTWARE\Microsoft\Ole
Windows System32 Driver
clsass32.exe

The following patches for the operating system vulnerabilities exploited by W32/Sdbot-AGG can be obtained from the Microsoft website:

MS03-049
MS04-007