W32/Sdbot-XJ

Please follow the instructions for removing worms.

W32/Sdbot-XJ is a network worm with backdoor functionality for the Windows platform.

W32/Sdbot-XJ attempts to spread to remote network shares protected by weak passwords and computers vulnerable to common exploits, including LSASS (MS04-011), RPC-DCOM (MS04-012) and WKS (MS03-049).

W32/Sdbot-XJ opens up a backdoor, allowing unauthorised remote access to the infected computer via the IRC network, while running in the background as a service process.

W32/Sdbot-XJ can receive commands from a remote attacker allowing them to control the infected computer.

The worm creates a file msdirectx.sys which is detected by Sophos as Troj/NtRootK-F.

W32/Sdbot-XJ copies itself to the Windows system folder as msdrvdx.exe and creates the following registry entries in order to run automatically on computer login:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
MS DVD DirectX Sound Drivers
msdrvdx.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
MS DVD DirectX Sound Drivers
msdrvdx.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
MS DVD DirectX Sound Drivers
msdrvdx.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices\
MS DVD DirectX Sound Drivers
msdrvdx.exe

On NT-based versions of Windows (NT,2000,XP) msdrvdx.exe is registered as a service process, with a servicename and displayname of msdirectx. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\msdirectx\

W32/Sdbot-XJ also changes system security by altering the following registry entries:

HKLM\SOFTWARE\Microsoft\Ole\
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
restrictanonymous
1

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\
Start
4