W32/Sdbot-DJZ

Please follow the instructions for removing worms.

W32/Sdbot-DJZ is a worm with IRC backdoor functionality for the Windows platform.

W32/Sdbot-DJZ spreads to other network computers via network shares protected by weak passwords and via MSN Messenger.

W32/Sdbot-DJZ is a worm with IRC backdoor functionality for the Windows platform.

W32/Sdbot-DJZ spreads to other network computers by network shares protected by weak passwords and via MSN Messenger.

W32/Sdbot-DJZ includes functionality to:

- spread via MSN Instant Messager by sending messages automatically
- download and execute files from a remote location
- steal stored passwords
- attempts to terminate and disable various anti-virus and security related programs and modifies the HOSTS file located at %SYSTEM%\Drivers\etc\HOSTS, mapping selected anti-virus websites to the loopback address 127.0.0.1 in an attempt to prevent access to these sites.

The worm may arrive via MSN with one of the following messages:

Did you see this picture, it's hilarious!!!!!
Have I shown you this new picture of my cat :)
Hey, check out this great photo from my trip to England!

If the user clicks on the link, a popup box appears:

 Windows Microsoft Viewer
Picture can not be displayed.

W32/Sdbot-DJZ runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

When first run W32/Sdbot-DJZ copies itself to <Windows>\wkssvc.exe.

The following registry entry is created to run wkssvc.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Console
wkssvc.exe

The following registry entry is also set:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile
DoNotAllowExceptions
0