Sophos

W32/Sdbot-YJ

Aliases
  • Backdoor.Win32.Rbot.gen
  • W32/Sdbot.worm.gen.w
  • W32.Spybot.Worm
  • WORM_SDBOT.BVC
Category
Type
What to do
Prevalence low high

Summary

 
How it spreads
  • Network shares
Affected operating systems Windows
Characteristics
  • Drops more malware
  • Installs itself in the registry
Protection available since 20 May 2005 20:30:22 (GMT)
Detected by All Sophos products
Sophos beta program Sophos beta program
Register now for our latest beta tests
  • Endpoint Security and Control 9.0
  • Small business solutions 4.0

Action

More Information

W32/Sdbot-YJ is a network worm with backdoor functionality for the Windows platform.

W32/Sdbot-YJ runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels. The worm may spread to remote network shares with weak passwords.

The following patches for the operating system vulnerabilities exploited by W32/Sdbot-YJ can be obtained from the Microsoft website:

MS02-039
MS03-049
MS04-011
MS04-012
MS04-045 W32/Sdbot-YJ is a network worm with backdoor functionality for the Windows platform.

W32/Sdbot-YJ runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels. The worm may spread to remote network shares with weak passwords.

The following patches for the operating system vulnerabilities exploited by W32/Sdbot-YJ can be obtained from the Microsoft website:

MS02-039
MS03-049
MS04-011
MS04-012
MS04-045

When first run the worm copies itself to <Windows system folder>\sdkimddprovment2.exe and creates the file <Windows system folder>\mskdll.dll. The latter file is detected as Troj/NtRootK-F.

The following registry entries are created to run sdkimddprovment2.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
SDK Codre Function22
sdkimddprovment2.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SDK Codre Function22
sdkimddprovment2.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
SDK Codre Function22
sdkimddprovment2.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
SDK Codre Function22
sdkimddprovment2.exe

W32/Sdbot-YJ sets the following registry entries, disabling the automatic startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Start
4

Registry entries are set as follows:

HKCU\SYSTEM\CurrentControlSet\Control\Lsa
SDK Codre Function22
sdkimddprovment2.exe

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
SDK Codre Function22
sdkimddprovment2.exe

HKCU\Software\Microsoft\OLE
SDK Codre Function22
sdkimddprovment2.exe

HKLM\SOFTWARE\Microsoft\Ole
SDK Codre Function22
sdkimddprovment2.exe

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1

RSS|Atom
Get reports about the latest virus and spyware threats delivered to your computer