high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Included in our products from | May 2008 (4.29) |
| Protection available since | 26 March 2008 07:00:10 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Sdbot-DKG is a worm for the Windows platform.
When run W32/Sdbot-DKG copies itself to:
<System>\Sexy Girls.scr
<Windows>\inf\smss.exe
<Documents and Settings>\<User>\Application Data\smss.exe
W32/Sdbot-DKG also attempts to parse folders and will attempt to copy itself to that folder as <Folder Name>.exe.
W32/Sdbot-DKG sets the following registry entries to run itself on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
NT_Authority
<Documents and Settings>\<User>\Application Data\smss.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
FrameWorkService
<Windows>\Inf\smss.exe I'm so ugly, I hate myself and I want to die
The following registry entries are set:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
DisallowRun
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
1
cmd.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
2
mmc.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
3
rstrui.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
4
regedit.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
5
regedt32.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFind
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFolderOptions
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoRun
1
|
