Sophos

W32/Sdbot-GL

Aliases
  • Backdoor.SdBot.gen
Category
Type
What to do
Prevalence low high

Summary

 
Protection available since 12 March 2004 11:08:36 (GMT)
Detected by All Sophos products
Download Free virus scan
Download the Threat Detection Test
  • Free virus, spyware, and adware scan
  • Test your existing anti-virus protection
  • Find threats your anti-virus missed

Action

Please follow the instructions for removing worms.

Check your administrator passwords and review network security.

You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Win Patch
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Win Patch
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\Win Patch

and delete them if they exist.

Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entries:

HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\Run\Win Patch

HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\RunOnce\Win Patch

and delete them if they exist.

Close the registry editor and reboot your computer.

More Information

W32/Sdbot-GL is a backdoor Trojan and network aware worm which runs in the background as a service process and allows unauthorised remote access to the computer via IRC channels.

W32/Sdbot-GL copies itself to the Windows system folder as patch.exe and creates the following registry entries so that the Trojan is run when a user logs on to Windows:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Win Patch
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Win Patch
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\Win Patch
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Win Patch
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\Win Patch

W32/Sdbot-GL remains resident, listening for commands from remote users. If the appropriate commands are received the Worm will begin scanning the internet for network shares with weak administrator passwords and will attempt to copy itself to these shares.

RSS|Atom
Get reports about the latest virus and spyware threats delivered to your computer