high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Protection available since | 19 April 2005 13:00:34 (GMT) |
| Last updated | 9 November 2005 15:31:50 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Replace the Hosts file from a backup or edit it in Notepad to remove the changes that the worm has made.
You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
and remove any reference to any file you deleted.
Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entries:
HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\Run\
HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\RunServices\
and remove any reference to any file you deleted.
Close the registry editor.
More Information
W32/Sdbot-XH is a network worm with backdoor Trojan functionality for the Windows platform, that spreads through network shares protected by weak passwords, MS-SQL servers and through various operating system vulnerabilities.
W32/Sdbot-XH connects to a predetermined IRC channel and awaits further commands from remote users. The backdoor component of W32/Sdbot-XH can be instructed to perform the following functions:
scan networks for vulnerabilities
download/execute arbitrary files
start an ftp server
Patches for the vulnerabilities exploited by W32/Sdbot-XH can be obtained from Microsoft at:
http://www.microsoft.com/technet/security/bulletin/MS02-039.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx
W32/Sdbot-XH is a network worm with backdoor Trojan functionality for the Windows platform.
When first run, W32/Sdbot-XH copies itself to the Windows system folder as windesktop.exe, and in order to be able to run automatically when Windows starts up sets the following registry entries in order to run each time a user logs on:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Desktop Controler
windesktop.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Windows Desktop Controler
windesktop.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices\
Windows Desktop Controler
windesktop.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
Windows Desktop Controler
windesktop.exe
The worm sets the following registry entries, disabling the automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\
Start
4
Registry entries are also created under:
HKCU\Software\Microsoft\OLE\
HKLM\SOFTWARE\Microsoft\Ole\
The worm spreads through network shares protected by weak passwords, MS-SQL servers and through various operating system vulnerabilities.
W32/Sdbot-XH connects to a predetermined IRC channel and awaits further commands from remote users. The backdoor component of W32/Sdbot-XH can be instructed to perform the following functions:
scan networks for vulnerabilities
download/execute arbitrary files
start an ftp server
Patches for the vulnerabilities exploited by W32/Sdbot-XH can be obtained from Microsoft at:
http://www.microsoft.com/technet/security/bulletin/MS02-039.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx
W32/Sdbot-XH also drops a file to the current folder as msdirectx.sys. The dropped file is detected by Sophos's anti-virus products as Troj/NtRootK-F.
The worm changes the Windows HOSTS file in attempt to prevent access to sites from the following list:
avp.com
ca.com
customer.symantec.com
dispatch.mcafee.com
download.mcafee.com
f-secure.com
kaspersky.com
kaspersky-labs.com
liveupdate.symantec.com
liveupdate.symantecliveupdate.com
mast.mcafee.com
mcafee.com
my-etrust.com
nai.com
networkassociates.com
rads.mcafee.com
secure.nai.com
securityresponse.symantec.com
sophos.com
symantec.com
trendmicro.com
update.symantec.com
updates.symantec.com
us.mcafee.com
viruslist.com
www.avp.com
www.ca.com
www.f-secure.com
www.grisoft.com
www.kaspersky.com
www.mcafee.com
www.my-etrust.com
www.nai.com
www.networkassociates.com
www.sophos.com
www.symantec.com
www.trendmicro.com
www.viruslist.com
W32/Sdbot-XH terminates a number of processes including those related to various AV and security applications as well as system tools and other Worms and Trojans.
|
