W32/Sdbot-KY

Please follow the instructions for removing worms.

Check your administrator passwords and review network security.

You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Microsoft Update = "wumgrd.exe"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft Update = "wumgrd.exe"

and delete them if they exist.

Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entry:

HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\Run\Microsoft Update = "wumgrd.exe"

and delete it if it exists.

Close the registry editor and reboot your computer.

W32/SdBot-KY is a worm with an IRC backdoor.

In order to run automatically when Windows starts up the worm copies
itself to the file wumgrd.exe in the Windows system folder and adds the following registry entries:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Update = "wumgrd.exe"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Microsoft Update = "wumgrd.exe"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
Microsoft Update = "wumgrd.exe"

The worm attempts top copy itself to the Windows system folder on weakly protected network shares.

W32/SdBot-KY has a backdoor component that allows a malicious user to
remotely control an infected system