high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Included in our products from | September 2005 (3.97) |
| Protection available since | 30 July 2005 15:44:30 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Sdbot-ABQ is a worm for the Windows platform.
W32/Sdbot-ABQ spreads to other network computers by exploiting common buffer overflow vulnerabilites, including LSASS (MS04-011).
W32/Sdbot-ABQ runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels. W32/Sdbot-ABQ is a worm for the Windows platform.
W32/Sdbot-ABQ spreads to other network computers by exploiting common buffer overflow vulnerabilites, including LSASS (MS04-011).
W32/Sdbot-ABQ runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
W32/Sdbot-ABQ includes functionality to:
- steal confidential information including system hardware information
- carry out DDoS flooder attacks
- silently download, install and run new software
- inject itself to the Windows explorer process to stealth itself
When first run W32/Sdbot-ABQ copies itself to <System>\mousecrm.exe. The file mousecrm.exe is registered as a new system driver service named "mousecrm", with a display name of "Mouse Cursor Monitor" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\mousecrm\
It may also create a log file at <Windows>\Debug\dcpromo.log.
Registry entries are set as follows:
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
n
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
|
