W32/Sdbot-QK

Please follow the instructions for removing worms.

W32/Sdbot-QK is a network worm with backdoor Trojan functionality.

W32/Sdbot-QK is capable of spreading to computers on the local network protected by weak passwords after receiving the appropriate backdoor command.

W32/Sdbot-QK may also spread by exploiting the backdoor on computers infected by members of the W32/MyDoom family of worms.

When first run W32/Sdbot-QK copies itself to the Windows system folder as WINHELPER32.EXE and runs this copy of itself. In order to run each time Windows is started, W32/Sdbot-QK creates the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Help File = winhelper32.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Windows Help File = winhelper32.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Help File = winhelper32.exe

The worm runs continuously in the background providing backdoor access to the infected computer.

The backdoor component of W32/Sdbot-QK can be used to carry out the following functions:

Initiate distributed denial-of-service (DDOS) attacks
Redirect TCP and SOCKS4 traffic
Download and execute files
Open and close vulnerabilities
Send emails as specified by the remote user

W32/Sdbot-QK may delete the C$, D$, IPC$ and ADMIN$ network shares.

W32/Sdbot-QK may be used to steal registration and key details from several computer games including:

Counter-Strike, Half-Life, Unreal Tournament 2003, IGI 2: Covert Strike, Battlefield 1942, Battlefield 1942 (Road To Rome), Command and Conquer: Generals, Need For Speed Hot Pursuit 2, FIFA 2003, Rainbow Six III RavenShield, Soldier of Fortune II - Double Helix, Neverwinter Nights

W32/Sdbot-QK may alter the following registry entry in order to enable/disable DCOM:

HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM