high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Protection available since | 19 March 2004 12:20:51 (GMT) |
| Last updated | 3 October 2005 09:53:21 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Check your administrator passwords and review network security.
You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\KTAX Auto Loader
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
KTAX Auto Loader
and delete them if they exist.
Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entry:
HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\Run\KTAX Auto Loader
and delete it if it exists.
Close the registry editor and reboot your computer.
More Information
W32/SdBot-MZ is a worm which spreads via network shares and existing backdoors.
The worm includes a backdoor which allows a remote attacker to control certain functions via IRC. Functions controllable by the attacker include spreading to network shares with weak passwords, spreading using the backdoor opened by W32/MyDoom-A and launching distributed denial-of-service attacks. When spreading to shares the worm uses the filename msgfix.exe. W32/SdBot-MZ is a worm which spreads via network shares and existing backdoors.
When run the worm copies itself to the file ktax.exe in the Windows system folder and ensure the file is run each time Windows starts by adding the following registry entries:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\KTAX Auto Loader
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\KTAX Auto Loader
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
KTAX Auto Loader
The worm includes a backdoor which allows a remote attacker to control certain functions via IRC. Functions controllable by the attacker include spreading to network shares with weak passwords, spreading using the backdoor opened by W32/MyDoom-A and launching distributed denial-of-service attacks. When spreading to shares the worm uses the filename msgfix.exe.
|
