W32/Sdbot-RT

Please follow the instructions for removing worms.

Check your administrator passwords and review network security.

You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

and remove any reference to any file you deleted.

Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entry:

HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\Run\

and remove any reference to any file you deleted.

Close the registry editor.

W32/Sdbot-RT is a network worm and IRC backdoor Trojan for the Windows platform. When first run, the worm copies itself to the Windows system folder with the filename gggasw.exe. In order to run when a user logs on, W32/Sdbot-RT creates the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
bdfger
<Windows system folder>\gggasw.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
bdfger
<Windows system folder>\gggasw.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
bdfger
<Windows system folder>\gggasw.exe

W32/Sdbot-RT spreads through network shares protected by weak passwords. When spreading through the network the filename Oosmn.exe is used. Oosmn.exe is a self-extracting archive which contains W32/Sdbot-RT and Troj/Ranck-AE.

The worm joins a predefined IRC channel and awaits further commands from a remote user.