high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Protection available since | 26 October 2004 09:12:51 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Sdbot-QN is a network worm and IRC backdoor Trojan.
W32/Sdbot-QN spreads through network shares protected by weak passwords and through backdoors left open by other Trojans.
When first run, W32/Sdbot-QN copies itself to the Windows system folder as mxxcva.exe and runs this copy of the worm. In order to run each time Windows is started, W32/Sdbot-QN will set the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
sdfwfq = mxxcva.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
sdfwfq = mxxcva.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
sdfwfq = mxxcva.exe
The worm runs continuously in the background providing backdoor access to the infected computer over IRC channels.
The backdoor component of W32/Sdbot-QN can be used to:
Initiate distributed denial-of-service (DDOS) attacks.
Redirect TCP and SOCKS4 traffic.
Download and execute files.
Open and close vulnerabilities.
Send emails as specified by the remote user.
W32/Sdbot-QN may delete the C$, D$, IPC$ and ADMIN$ network shares.
W32/Sdbot-QN may alter the following registry entry in order to enable/disable DCOM.
HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM
|
