high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Protection available since | 28 March 2005 21:34:52 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Sdbot-WK is a network worm with backdoor functionality for the Windows platform.
W32/Sdbot-WK is capable of spreading to computers on the local network protected by weak passwords after receiving the appropriate backdoor command.
W32/Sdbot-WK will also attempt to spread by exploiting the following vulnerabilities:
RPC DCOM (MS03-026, MS03-039, MS04-012)
LSASS (MS04-011)
WorKStation service (MS03-049)
Microsoft SQL Server 2000 (pre service pack 3) (CAN-2002-0649)
Microsoft SQL servers with weak passwords
W32/Sdbot-WK will disable DCOM, close restrictions on IPC$ shares and attempt to disable the Windows Internet Connection Firewall and Automatic Updates. W32/Sdbot-WK is a network worm with backdoor functionality for the Windows platform.
W32/Sdbot-WK is capable of spreading to computers on the local network protected by weak passwords after receiving the appropriate backdoor command.
W32/Sdbot-WK will also attempt to spread by exploiting the following vulnerabilities:
RPC DCOM (MS03-026, MS03-039, MS04-012)
LSASS (MS04-011)
WorKStation service (MS03-049)
Microsoft SQL Server 2000 (pre service pack 3) (CAN-2002-0649)
Microsoft SQL servers with weak passwords
When first run, W32/Sdbot-WK moves itself to the Windows system folder as PC.EXE. In order to run automatically each time a user logs on, W32/Sdbot-WK will set the following registry entries:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Service Drivers
PC.EXE
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
Service Drivers
PC.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Service Drivers
PC.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Service Drivers
PC.EXE
W32/Sdbot-WK will attempt to stealth itself by dropping and running a file named MSDIRECTX.SYS. This file runs as a service named "msdirectx" and is detected as Troj/NtRootK-F.
W32/Sdbot-WK runs continuously in the background, providing backdoor access to the infected computer over IRC channels.
W32/Sdbot-WK will modify the following registry entries in order to disable DCOM and close restrictions on IPC$ shares:
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
W32/Sdbot-WK will attempt to disable the Windows Internet Connection Firewall and Automatic Updates by modifying the following registry entries:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Start
HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\Start
W32/Sdbot-WK can add and delete network shares and users on the infected computer.
W32/Sdbot-WK may modify the HOSTS file found in the %SYSTEM%\driver\etc folder in order to deny access to certain anti-virus websites. For example,
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
W32/Sdbot-WK will attempt to terminate a large number of security and anti-virus related processes.
|
