Sophos

W32/Sdbot-TB

Category
Type
What to do
Prevalence low high

Summary

 
How it spreads
  • Chat programs
Affected operating systems Windows
Characteristics
  • Installs itself in the registry
Protection available since 7 January 2005 13:26:41 (GMT)
Detected by All Sophos products
Sophos beta program Sophos beta program
Register now for our latest beta tests
  • Endpoint Security and Control 9.0
  • Small business solutions 4.0

Action

More Information

W32/Sdbot-TB is a Windows network worm that contains backdoor functions that allow unauthorised remote access to the infected computer via IRC channels.

Once installed, W32/Sdbot-TB is able to setup an HTTP proxy server, participate in denial-of-service (DoS) attacks, steal computer information and log keystrokes to the file keys.txt in the Windows System folder when instructed to do so by a remote attacker.

The worm also tries to spread using DCC file transfers over IRC channels. W32/Sdbot-TB is a Windows network worm that contains backdoor functions that allow unauthorised remote access to the infected computer via IRC channels.

When run the worm copies itself to the Windows System folder as wupdated.exe. On Windows NT-based operating systems, W32/Sdbot-TB creates its own service named "Wupdated" with the display name "Windows Update Service" and creates the following registry entries so as to run itself on computer logon:

HKLM\SYSTEM\CurrentControlSet\Services\Wupdated\Security

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WUPDATED

W32/Sdbot-TB also attempts to spread to remote networks protected by weak passwords as wupdated.exe.

Once installed, W32/Sdbot-TB is able to setup a HTTP proxy server, participate in denial-of-service (DoS) attacks, steal computer information and log keystrokes to the file keys.txt in the Windows System folder when instructed to do so by a remote attacker.

The worm also tries to spread using DCC file transfers over IRC channels by sending messages with the following characteristics:

The message text can be of any of the following:

dude, chk out this new AdminMOD exploit, it gives you admin
privs on any server running AM, plz dont give it out tho, thnx

i just caught this guy cheating with the Cheat Scanner in the
CAL Demo Viewer, chk it out

omfg this is so cool! i just caught this guy cheating with
this cal demoviewer or whatever its called, here's a copy of it

Here is the new CAL Demo Viewer, it includes: Cheat Scanner,
3rd Person Viewer, Rotational Image Scan, and lots more

W32/Sdbot-TB then attaches itself to the message as any of the following filenames:

AdminMOD-ExploitHack.exe
cheater-caught.pif
CAL-DemoViewer.exe
Setup.exe

RSS|Atom
Get reports about the latest virus and spyware threats delivered to your computer