high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Protection available since | 16 March 2005 18:11:37 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Sdbot-VY is a network worm with backdoor functionality for the Windows platform.
W32/Sdbot-VY spreads to computers on the local network protected by weak passwords. W32/Sdbot-VY can also spread to computers infected by the W32/MyDoom family of worms.
When first run, W32/Sdbot-VY copies itself to the Windows system folder as PINGCHEK.EXE and runs this copy of the worm. In order to run each time a user logs on, W32/Sdbot-VY will set the following registry entries:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
PingTimeout Institution
pingchek.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
PingTimeout Institution
pingchek.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
PingTimeout Institution
pingchek.exe
The worm runs continuously in the background providing backdoor access to the infected computer over IRC channels.
The backdoor component can be used to:
Initiate distributed denial-of-service (DDOS) attacks.
Redirect TCP and SOCKS traffic.
Send emails as specified by the remote user.
Steal product keys from popular games.
Delete the C$, D$, IPC$ and ADMIN$ shares.
Port scan other computers.
Download and run executable files.
W32/Sdbot-VY can alter the following registry entry in order to enable/disable DCOM:
HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM
|
