W32/Sdbot-DHS

Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


How it spreads	Network shares
Affected operating systems	Windows
Characteristics	Installs itself in the registry
Protection available since	13 September 2007 19:01:31 (GMT)
Detected by	All Sophos products

Sophos beta program
Register now for our latest beta tests

Endpoint Security and Control 9.0
Small business solutions 4.0

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

More Information

Summary
Action
More Information

W32/Sdbot-DHS is a worm with backdoor functionality for the Windows platform.

W32/Sdbot-DHS spreads to other network computers by exploiting common buffer overflow vulnerabilities. The worm may also spreads via network shares protected by weak passwords.

W32/Sdbot-DHS runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer.

W32/Sdbot-DHS includes functionality to access the internet and communicate with a remote server via HTTP.

When first run W32/Sdbot-DHS copies itself to <System>\inetsrv\stacture.exe.

The following registry entries are created to run stacture.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Creates stractures for system management
<System>\inetsrv\stacture.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Creates stractures for system management
<System>\inetsrv\stacture.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Creates stractures for system management
<System>\inetsrv\stacture.exe

The following registry entry is set, affecting internet security:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\
StandardProfile\AuthorizedApplications\List
<System>\inetsrv\stacture.exe
<System>\inetsrv\stacture.exe:*:Enabled:Creates stractures for system management

Registry entries are set as follows:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
DisallowRun
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
Protected system files1
avgupsvc.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
Protected system files2
avgamsvr.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
Protected system files3
avgcc.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
Protected system files4
nod32kui.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
Protected system files5
nod32krn.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
Protected system files6
ccSetMgr.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
Protected system files7
ccEvtMgr.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
Protected system files8
DefWatch.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
Protected system files9
SavRoam.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
Protected system files10
Rtvscan.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
Protected system files11
VPTray.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
Protected system files12
ccApp.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
Protected system files13
AluSchedulerSvc.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
Protected system files14
nod32.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
Protected system files15
nod32ra.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
Protected system files16
UpdaterUI.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
Protected system files17
tbmon.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
Protected system files18
Mcshield.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
Protected system files19
SHSTAT.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
Protected system files20
ashMaiSv.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
Protected system files21
ashServ.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
Protected system files22
ashWebSv.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
Protected system files23
aswUpdSv.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
Protected system files24
AVGUARD.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
Protected system files25
AVWUPSRV.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
Protected system files26
avscan.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
Protected system files27
guardgui.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
Protected system files28
VxMon.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
Protected system files29
AVGNT.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
Protected system files30
avgemc.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
Protected system files31
avp.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
Protected system files32
avp.com

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Sdbot-DHS

Summary

Action

More Information