W32/Sdbot-XS

Please follow the instructions for removing worms.

You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

and remove any reference to any file you deleted.

Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entry:

HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\Run\

and remove any reference to any file you deleted.

Close the registry editor.

W32/Sdbot-XS is a member of the W32/Sdbot family of network worms. The worm can spread to weakly protected network shares.

In order to run automatically when Windows starts up the worm copies itself to the Windows system folder as botss.exe and creates the following registry entries:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Configuration Loader
botss.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Configuration Loader
botss.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Configuration Loader
botss.exe

Once installed, W32/Sdbot-XS connects to a preconfigured IRC server and joins a channel from which an attacker can issue further commands. These commands can cause the infected computer to perform any of the following actions:

Flood remote computers with network traffic
Disable DCOM and attempt to delete the C$, D$, IPC$ and ADMIN$ network shares
Steal product keys
Upload, download and execute files
Scan for remote computers to spread to