high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Included in our products from | September 2005 (3.97) |
| Protection available since | 19 July 2005 20:48:19 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Sdbot-AAZ is a network worm with backdoor Trojan functionality for the Windows platform.
The backdoor component of W32/Sdbot-AAZ joins a predetermined IRC channel and awaits further commands from remote attackers.
The worm spreads through network shares and can be instructed to send itself through the AOL Instant Messenger (AIM) application. W32/Sdbot-AAZ is a network worm with backdoor Trojan functionality for the Windows platform.
When run, W32/Sdbot-AAZ copies itself to the Windows system folder as xmconfig.exe and sets the following registry entries in order to run each time a user logs on:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
stratas
"xmconfig.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
stratas
"xmconfig.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
stratas
"xmconfig.exe"
The worm then drops the file msdirectx.sys to the Windows system folder and then loads the file as a system driver. Sophos's anti-virus products detect msdirectx.sys as Troj/NtRootK-F.
The backdoor component of W32/Sdbot-AAZ joins a predetermined IRC channel and awaits further commands from remote attackers.
The worm spreads through network shares and can be instructed to send itself through the AOL Instant Messenger (AIM) application.
|
