W32/RpcSdbot-A

Please follow the instructions for removing worms.

Download and install the Microsoft patch mentioned above.

W32/RpcSdbot-A is primarily an IRC backdoor Trojan that has the potential to spread to other machines using the RPC/DCOM exploit.

W32/RpcSdbot-A does not spread by itself. It has to receive the appropriate backdoor command from an attacker to trigger its spreading functionality.

W32/RpcSdbot-A consists of a dropper EXE component and the main backdoor/worm DLL component. When first executed the dropper copies itself into the Windows system folder with a predefined name (e.g. winlogin.exe, nstask32.exe) and executes the dropped copy.

When run from the System folder, the Trojan deletes the original dropper that dropped it and extracts the main DLL component into the Windows system folder with a predefined name (e.g. Yuetyutr.dll, win32sockdrv.dll).

W32/RpcSdbot-A creates a copy of itself in the Windows temporary folder with a random name and a TXT extension. The DLL uses this dropped file to restore the main EXE component if it is deleted.

W32/RpcSdbot-A attempts to delete the file tftp.exe from the Windows system folder and the DLL cache.

W32/RpcSdbot-A logs on to predefined IRC servers and waits for backdoor commands. An attacker can trigger the spreading functionality of the Trojan by issuing the appropriate backdoor command.

Microsoft issued a patch for the vulnerability exploited by this worm on July 16, 2003. The patch is available from www.microsoft.com/technet/security/bulletin/MS03-026.asp. W32/RpcSdbot-A is primarily an IRC backdoor Trojan that has the potential to spread to other machines using the RPC/DCOM exploit.

W32/RpcSdbot-A does not spread by itself. It has to receive the appropriate backdoor command from an attacker to trigger its spreading functionality.

W32/RpcSdbot-A consists of a dropper EXE component and the main backdoor/worm DLL component. The dropper contains the DLL component inside itself and is responsible for injecting it into the Explorer process.

When first executed the dropper copies itself into the Windows system folder with a predefined name (e.g. winlogin.exe, nstask32.exe) and executes the dropped copy.

When run from the System folder, the Trojan deletes the original dropper that dropped it, extracts the main DLL component into the Windows system folder with a predefined name (e.g. Yuetyutr.dll, win32sockdrv.dll), injects the DLL into Explorer and sets the following registry entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Ndpldaemon
<Path to Trojan exe in system folder>

The DLL may also create additional entries (e.g. Winlogon, Ndpldaemon) under the HKLM Run and RunOnce entries.

W32/RpcSdbot-A monitors these registry entries and restores them if they are deleted.

W32/RpcSdbot-A creates a copy of itself in the Windows temporary folder with a random name and a TXT extension. The DLL uses this dropped file to restore the main EXE component if it is deleted.

W32/RpcSdbot-A sets the following entry in system.ini:
[Boot]
Shell = explorer.exe <Path to dropped exe>

W32/RpcSdbot-A attempts to delete the file tftp.exe from the Windows system folder and the DLL cache, apparently to make the system immune to further RPC/DCOM exploits that use tftp.

W32/RpcSdbot-A logs on to predefined IRC servers and waits for backdoor commands. An attacker can trigger the spreading functionality of the Trojan by issuing the appropriate backdoor command.

When the spreading is triggered, W32/RpcSdbot-A will scan certain IP ranges for machines vulnerable to the RPC/DCOM exploit and attempts to spread to those machines using the RPC/DCOM exploit.

Microsoft issued a patch for the vulnerability exploited by this worm on July 16, 2003. The patch is available from www.microsoft.com/technet/security/bulletin/MS03-026.asp.