W32/Sdbot-PK

Please follow the instructions for removing worms.

Check your administrator passwords and review network security.

You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MS FIREWALL
HKLM\Software\Microsoft\Windows\CurrentVersion\Run Services\MS FIREWALL

and remove any reference to any file you deleted.

Close the registry editor.

W32/Sdbot-PK is a member of the W32/Sdbot family of internet worms that spread by scanning for and exploiting known vulnerabilities and weakly protected accounts.

The worm connects to a remote IRC server and enables a malicious user to remotely control an infected machine.

W32/Sdbot-PK drops Troj/NtRootK-F as the file msdirectx.sys which it employs to hide its process. W32/Sdbot-PK is a member of the W32/Sdbot family of internet worms that spread by scanning for and exploiting known vulnerabilities and weakly protected accounts.

In order to be started automatically when Windows boots up the worm copies itself as the file msfrewall.exe into the Windows system folder and sets the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MS FIREWALL
HKLM\Software\Microsoft\Windows\CurrentVersion\Run Services\MS FIREWALL
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\MS FIREWALL
HKLM\Software\Microsoft\Ole\MS FIREWALL

The worm connects to a remote IRC server and enables a malicious user to remotely control an infected computer.

W32/Sdbot-PK drops Troj/NtRootK-F as the file msdirectx.sys which it employs to hide its process.