high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Included in our products from | July 2005 (3.95) |
| Protection available since | 19 May 2005 05:53:26 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Sdbot-BPZ is a network worm with backdoor Trojan functionality for the Windows platform.
When first run, W32/Sdbot-BPZ copies itself to the Windows folder as winsmc.exe and creates the following registry entry in order to run each time a user logs on:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
WinScMngr
"<Windows folder>\winsmc.exe"
The worm spreads through network shares protected by weak passwords, MS-SQL servers and through various operating system vulnerabilities.
W32/Sdbot-BPZ also drops a file as rdriv.sys. Sophos's anti-virus products detect rdriv.sys as Troj/Rootkit-W.
W32/Sdbot-BPZ connects to a predetermined IRC channel and awaits further commands from remote users. The backdoor component of W32/Sdbot-BPZ can be instructed to perform the following functions:
scan networks for vulnerabilities
download/execute arbitrary files
start an ftp server
Patches for the vulnerabilities exploited by W32/Sdbot-BPZ can be obtained from Microsoft at:
http://www.microsoft.com/technet/security/bulletin/MS02-039.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx
|
