high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Protection available since | 26 November 2004 08:49:46 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Sdbot-RQ is a member of the W32/Sdbot family of worms. It is a network worm and IRC backdoor Trojan for the Windows platform.
The worm can spread to ADMIN$ and C$ network shares with weak usernames and
passwords, and spreads over a network as a file named krisp.exe.
When first run W32/Sdbot-RQ copies itself to the Windows system folder with the name krisp.exe. In order to run on system start the worm creates the following registry entries:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Document
krisp.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Document
krisp.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Microsoft Document
krisp.exe
W32/SdBot-RQ connects to an IRC server and joins a particular channel from which an attacker can issue further commands. These commands can cause the infected machine to perform any of the following actions:
Download files
Execute arbitrary commands
Start a SOCKS4 proxy server
Steal product keys
Redirect TCP connections
Delete network shares
The worm may also commanded to attempt to disable DCOM by setting the following registry entry:
HKLM\Software\Microsoft\OLE
EnableDCOM
N
|
