high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Protection available since | 8 November 2004 13:50:07 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Sdbot-RA is a network worm and IRC backdoor Trojan for the Windows platform.
When first run W32/Sdbot-RA copies itself to the Windows system folder with the name feqfevhj.exe. In order to run on system start the worm creates the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
hpDexmark = feqfevhj.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
hpDexmark = feqfevhj.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
hpDexmark = feqfevhj.ex
W32/Sdbot-RA spreads through network shares protected by weak passwords. The worm uses the filename Fixmev2.exe when spreading through the network.
The backdoor component joins an IRC channel and awaits instructions from a remote user. The backdoor component can then be instructed to:
collect file system information
start a keylogger
download and execute arbitrary files
route HTTP traffic
start a port scanner
take part in distributed denial of service (DDoS) attacks
Sophos's anti-virus products include proactive protection technology, which can defend against new threats without requiring an update. Sophos customers have been protected against W32/Sdbot-RA (detected as W32/Sdbot-Fam) since version 3.85.
|
