high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Included in our products from | June 2007 (4.18) |
| Protection available since | 10 May 2007 08:26:28 (GMT) |
| Last updated | 10 May 2007 14:10:58 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please read the instructions for removing W32/Sdbot-DDS.
More Information
W32/Sdbot-DDS is a worm with backdoor functionality for the Windows platform.
W32/Sdbot-DDS spreads to other network computers by exploiting common buffer overflow vulnerabilities, including:
WKS (MS03-049) (CAN-2003-0812)
RealVNC (CVE-2006-2369)
W32/Sdbot-DDS can be instructed to perform the following functions:
start an FTP server
start a Proxy server
start a web server
start an IRC daemon
take part in distributed denial of service (DDoS) attacks
log keypresses (such as username password for Paypal)
capture screen/webcam images
packet sniffing
port scanning
download/execute arbitrary files
start a remote shell (RLOGIN)
steal product registration information from certain software
turn off security software such as anti-virus or firewall
The worm may also spread via networks shares protected by weak passwords.
When first run W32/Sdbot-DDS copies itself to <System>\sys.exe and creates the following registry entries to run sys.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ATI Video Driver Controls
<path of worm executable>
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
ATI Video Driver Controls
<path of worm executable>
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ATI Video Driver Controls
<path of worm executable>
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
ATI Video Driver Controls
<path of worm executable>
W32/Sdbot-DDS sets the following registry entries in order to secure the infected computer against further exploits:
HKLM\SOFTWARE\Microsoft\Ole\
ATI Video Driver Controls
<path of worm executable>
HKCU\Software\Microsoft\OLE\
ATI Video Driver Controls
<path of worm executable>
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
ATI Video Driver Controls
<path of worm executable>
HKCU\SYSTEM\CurrentControlSet\Control\Lsa\
ATI Video Driver Controls
<path of worm executable>
W32/Sdbot-DDS will append the following to the HOSTS file in order to block access to security related URLs:
127.0.0.1 ca.com
127.0.0.1 download.mcafee.com
127.0.0.1 f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 mcafee.com
127.0.0.1 pandasoftware.com
127.0.0.1 sophos.com
127.0.0.1 symantec.com
127.0.0.1 trendmicro.com
127.0.0.1 us.mcafee.com
127.0.0.1 www.ca.com
127.0.0.1 www.f-secure.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.mcafee.com
127.0.0.1 www.my-etrust.com
127.0.0.1 www.nai.com
127.0.0.1 www.pandasoftware.com
127.0.0.1 www.sarc.com
127.0.0.1 www.sophos.com
127.0.0.1 www.symantec.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.trendmicro.com
Some of the processes terminated by W32/Sdbot-DDS are:
ANTI-TROJAN.EXE
ANTIVIRUS.EXE
APIMONITOR.EXE
AVGW.EXE
AVGUARD.EXE
AVP32.EXE
AVP.EXE
DRWATSON.EXE
F-PROT95.EXE
F-PROT.EXE
KAVPF.EXE
KAVPERS40ENG.EXE
KAVLITE40ENG.EXE
N32SCANW.EXE
NOD32.EXE
REALMON.EXE
ZONEALARM.EXE
|
