W32/Sdbot-SG

Please follow the instructions for removing worms.

Check your administrator passwords and review network security.

You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

and remove any reference to any file you deleted.

Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entry:

HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\Run\

and remove any reference to any file you deleted.

Close the registry editor.

W32/Sdbot-SG is a worm with backdoor Trojan functionality.

W32/Sdbot-SG is capable of spreading to computers on the local network protected by weak passwords after receiving the appropriate backdoor command. W32/Sdbot-SG is a worm with backdoor Trojan functionality.

W32/Sdbot-SG is capable of spreading to computers on the local network protected by weak passwords after receiving the appropriate backdoor command.

When first run, W32/Sdbot-SG copies itself to the Windows system folder as DQDDSS.EXE and runs this copy of the worm. In order to run each time a user logs on, W32/Sdbot-SG will set the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
ffeqfqs
dqddss.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
ffeqfqs
dqddss.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ffeqfqs
dqddss.exe

The worm runs continuously in the background providing backdoor access to the infected computer.