W32/Sdbot-ON

Please follow the instructions for removing worms.

You will also need to edit the following registry entries, if present. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
ICQ = syscdd2.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
ICQ = syscdd2.exe

and delete them if they exist.

Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entry:

HKCU\[code number]\Software\Microsoft\Windows\CurrentVersion\Run\
ICQ = syscdd2.exe

and delete it if it exists.

Close the registry editor.

W32/Sdbot-ON is an IRC backdoor that can spread via IPC shares protected by weak passwords.

In order to run automatically when Windows starts up the worm copies itself to the file syscdd2.exe in the Windows system folder and adds the following registry entries:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ICQ = syscdd2.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ICQ = syscdd2.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\ICQ = syscdd2.exe

W32/Sdbot-ON connects to an IRC server specified by the author and joins a channel from which it will receive further commands. These commands can start any of the following actions:

HTTP server
sock4 proxy server
UDP, SYN or PING flooding
TCP redirection
download files
execute arbitrary commands
spread via weakly-protected IPC shares