high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Included in our products from | October 2005 (3.98) |
| Protection available since | 16 August 2005 04:47:15 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please read the instructions for removing W32/Sdbot-ACG.
More Information
W32/Sdbot-ACG is a worm for the Windows platform.
W32/Sdbot-ACG spreads to other network computers by exploiting common buffer overflow vulnerabilities, including PnP (MS05-039) and LSASS (MS04-011).
W32/Sdbot-ACG runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
W32/Sdbot-ACG includes functionality to:
- steal confidential information
- carry out DDoS flooder attacks
- silently download, install and run new software
- inject itself into the Windows explorer process to stealth itself
When first run W32/Sdbot-ACG copies itself to <System>\mousebm.exe.
The file mousebm.exe is registered as a new system driver service named "mousebm", with a display name of "Mouse Button Monitor" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\mousebm\
W32/Sdbot-ACG creates the file
Registry entries are set as follows:
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
n
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
The following patches for the operating system vulnerabilities exploited by W32/Sdbot-ACG can be obtained from the Microsoft website:
|
