high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Included in our products from | February 2006 (4.02) |
| Protection available since | 12 December 2005 22:00:03 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Sdbot-AGZ is a network worm with backdoor functionality for the Windows platform.
Sophos's anti-virus products include Genotype™ detection technology, which can proactively protect against new threats without requiring an update. Sophos customers have been protected against W32/Sdbot-AGZ (detected as W32/Sdbot-Fam) since version 3.93. W32/Sdbot-AGZ is a network worm with backdoor functionality for the Windows platform.
When first run, W32/Sdbot-AGZ copies itself to the Windows system folder as flxper.exe and creates the following registry entries in order to run each time a user logs on:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
NotFaut
"flxper.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NotFaut
"flxper.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
NotFaut
"flxper.exe"
The worm spreads through network shares protected by weak passwords, MS-SQL servers and through various operating system vulnerabilities.
W32/Sdbot-AGZ connects to a predetermined IRC channel and awaits further commands from remote users. The backdoor component of W32/Sdbot-AGZ can be instructed to perform the following functions:
scan networks for vulnerabilities
download/execute arbitrary files
start an ftp server
W32/Sdbot-AGZ has also been seen bundled with Troj/Ranck-DJ.
Sophos's anti-virus products include Genotype™ detection technology, which can proactively protect against new threats without requiring an update. Sophos customers have been protected against W32/Sdbot-AGZ (detected as W32/Sdbot-Fam) since version 3.93.
|
