high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Included in our products from | October 2005 (3.98) |
| Protection available since | 19 August 2005 20:51:38 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please read the instructions for removing W32/Sdbot-ACK.
More Information
W32/Sdbot-ACK is a worm and backdoor Trojan for the Windows platform.
W32/Sdbot-ACK spreads:
- to other network computers infected with: W32/Bagle and Troj/Optix
- to other network computers by exploiting common buffer overflow vulnerabilites, including: PNP (MS05-039), LSASS (MS04-011), WebDav (MS03-007), IIS5SSL (MS04-011) (CAN-2003-0719), UPNP (MS01-059) and Dameware (CAN-2003-1030)
- by copying itself to network shares protected by weak passwords
W32/Sdbot-ACK runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer.
W32/Sdbot-ACK includes functionality to download, install and run new software, and may attempt to do so without prompting from a remote user.
When first run W32/Sdbot-ACK copies itself to <System>\libsys32.exe and creates the clean log file <Temp>\kspd32a.exe. W32/Sdbot-ACK may spread with the filename cool.exe.
The following registry entries are created to run libsys32.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft System Checkup
libsys32.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Microsoft System Checkup
libsys32.exe
The file libsys32.exe is registered as a new system driver service named "ntlogin32", with a display name of "NT login service" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\ntlogin32\
W32/Sdbot-ACK also creates the following registry entry so as to run syslog32.exe, although it doesn't explicitly drop this file:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
NT Logging Service
syslog32.exe
W32/Sdbot-ACK attempts to terminate various anti-virus and security related programs and services, and to remove the following files if they are found in the startup folder:
sysmgr.exe
wnetlogin.exe
keymgr.exe
inetman.exe
wsock32.exe
dbnetlib.exe
wnetmgr.exe
wnetlib.exe
ntsysmgr.exe
ntsysman.exe
W32/Sdbot-ACK attempts to modify the HOSTS file found in the drivers\etc subfolder of the Windows system folder, preventing access to certain websites by mapping them to the loopback address as follows:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
Sophos's anti-virus products include Genotype™ detection technology, which can proactively protect against new threats without requiring an update. Sophos customers have been protected against W32.Sdbot-ACK (detected as W32/Sdbot-Fam) since version 3.88.
|
