high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Protection available since | 12 December 2005 03:23:12 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Sdbot-AGJ is a network worm with backdoor Trojan functionality for the Windows platform.
When first run W32/Sdbot-AGJ copies itself to:
\eminem vs 2pac.scr
\funny pic.scr
\photo album.scr
<System>\mssnt.exe
The following registry entries are created to run mssnt.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Windows MSNNT
mssnt.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Windows MSNNT
mssnt.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
Microsoft Windows MSNNT
mssnt.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Microsoft Windows MSNNT
mssnt.exe
Registry entries are set as follows:
HKCU\SYSTEM\CurrentControlSet\Control\Lsa
Microsoft Windows MSNNT
mssnt.exe
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
Microsoft Windows MSNNT
mssnt.exe
HKCU\Software\Microsoft\OLE
Microsoft Windows MSNNT
mssnt.exe
HKLM\SOFTWARE\Microsoft\Ole
Microsoft Windows MSNNT
mssnt.exe
The worm spreads through network shares protected by weak passwords, MS-SQL servers and through various operating system vulnerabilities including: LSASS (MS04-011), RPC-DCOM (MS04-012) and ASN.1 (MS04-007).
W32/Sdbot-AGJ connects to a predetermined IRC channel and awaits further commands from remote users.
|
