W32/Sdbot-APE

Please follow the instructions for removing worms.

W32/Sdbot-APE is a worm and IRC backdoor Trojan for the Windows platform.

W32/Sdbot-APE spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012), PNP (MS05-039) and ASN.1 (MS04-007).

W32/Sdbot-APE runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels. The worm contains functionality to terminate the anti-virus and security related processes.

When first run W32/Sdbot-APE copies itself to <Windows>\mdm.exe.

The following registry entries are created to run mdm.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Machine Debug Manager
MDM.EXE

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Machine Debug Manager
MDM.EXE

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
Machine Debug Manager
MDM.EXE

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Machine Debug Manager
MDM.EXE

W32/Sdbot-APE sets the following registry entries, disabling the automatic startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4

Note: disabling autostart for the SharedAccess service deactivates the Microsoft Internet Connection Firewall (ICF).

Registry entries are set as follows:

HKCU\SYSTEM\CurrentControlSet\Control\Lsa
Machine Debug Manager
MDM.EXE

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
Machine Debug Manager
MDM.EXE

HKCU\Software\Microsoft\OLE
Machine Debug Manager
MDM.EXE

HKLM\SOFTWARE\Microsoft\Ole
Machine Debug Manager
MDM.EXE

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1