Sophos

W32/Sdbot-YK

Aliases
  • Backdoor.Win32.SdBot.yx
  • W32/Sdbot.worm.gen.by
Category
Type
What to do
Prevalence low high

Summary

 
How it spreads
  • Network shares
Affected operating systems Windows
Characteristics
  • Installs itself in the registry
Protection available since 24 May 2005 13:35:32 (GMT)
Detected by All Sophos products
Download Free virus scan
Download the Threat Detection Test
  • Free virus, spyware, and adware scan
  • Test your existing anti-virus protection
  • Find threats your anti-virus missed

Action

More Information

W32/Sdbot-YK is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels.

W32/Sdbot-YK spreads to network shares as a result of the backdoor element receiving the appropriate command from a remote user.

W32/Sdbot-YK moves itself to the Windows system folder as winxtn.exe and creates the following entries in the registry so as to run itself on system startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
XTN Service Drivers
winxtn.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
XTN Service Drivers
winxtn.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
XTN Service Drivers
winxtn.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
XTN Service Drivers
winxtn.exe

W32/Sdbot-YK may also set the following registry entries:

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
XTN Service Drivers
winxtn.exe

HKLM\SOFTWARE\Microsoft\Ole
XTN Service Drivers
winxtn.exe

W32/Sdbot-YK also drops Troj/NtRootk-F as msdirectx.sys and installs it as a service with the name "msdirectx".

RSS|Atom
Get reports about the latest virus and spyware threats delivered to your computer