W32/Sdbot-WD

Please follow the instructions for removing worms.

Replace the Hosts file from a backup or edit it in Notepad to remove the changes that the worm has made.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entries. The removal of these entries is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\

and remove any reference to any file you deleted.

Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entries:

HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\Run\

HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\RunServices\

and remove any reference to any file you deleted.

Close the registry editor.

W32/Sdbot-WD is a network worm with backdoor functionality for the Windows platform.

W32/Sdbot-WD is capable of spreading to computers on the local network protected by weak passwords after receiving the appropriate backdoor command.

W32/Sdbot-WD will also attempt to spread by exploiting the following vulnerabilities:

DCOM (MS04-012)
LSASS (MS04-011)
Workstation service (MS03-049)
Microsoft SQL Server 2000 (pre service pack 3) (CAN-2003-1030)
Microsoft SQL servers with weak passwords

When first run, W32/Sdbot-WD moves itself to the Windows system folder as F1REWALLS.EXE. In order to run automatically each time a user logs on, W32/Sdbot-WD will set the following registry entries:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Compaq Drivers
F1rewalls.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
Compaq Drivers
F1rewalls.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Compaq Drivers
F1rewalls.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Compaq Drivers
F1rewalls.exe

W32/Sdbot-WD will attempt to stealth itself by dropping and running a file named MSDIRECTX.SYS. This file runs as a service named "msdirectx" and is detected as Troj/NtRootK-F.

W32/Sdbot-WD will drop and open an HTML file named S.HTML to the C drive. When opened, this file will run remote JavaScript files that may attempt to download adware and other executable files.

W32/Sdbot-WD runs continuously in the background, providing backdoor access to the infected computer over IRC channels.

W32/Sdbot-WD will modify the following registry entries in order to disable DCOM and close restrictions on IPC$ shares:

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1

W32/Sdbot-WD will also set the following registry entries:

HKCU\SYSTEM\CurrentControlSet\Control\Lsa
Compaq Drivers
F1rewalls.exe

HKCU\Software\Microsoft\OLE
Compaq Drivers
F1rewalls.exe

W32/Sdbot-WD will attempt to disable the Windows Internet Connection Firewall, Automatic Updates and Security Center by modifying the following registry entries:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Start

HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\Start

HKLM\SYSTEM\CurrentControlSet\Services\wscsv\Start

W32/Sdbot-WD can add and delete network shares and users on the infected computer.

W32/Sdbot-WD may modify the HOSTS file found in the <Windows system folder>\driver\etc folder in order to deny access to certain anti-virus websites. For example,

127.0.0.1 www.sophos.com
127.0.0.1 sophos.com

W32/Sdbot-WD will attempt to terminate a large number of security and anti-virus related processes.