high
Summary
Summary
Action- More Information
| Included in our products from | June 2004 (3.82) |
|---|---|
| Protection available since | 30 April 2004 14:20:38 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Check your administrator passwords and review network security.
Download and install the Microsoft patch mentioned above.
You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entries:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
WinDynManager = amsnmsg.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
WinDynManager = amsnmsg.exe
and delete them if they exist.
Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entry:
HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\Run\WinDynManager = amsnmsg.exe
and delete it if it exists.
Close the registry editor.
More Information
W32/SdBot-IA is a backdoor Trojan and network aware worm which runs in the
background as a service process and allows unauthorised remote access to the
computer via IRC channels.
W32/SdBot-IA copies itself to the Windows System (or System32 folder under
MS Win NT/2000/XP) folder as amsnmsg.exe and creates the following registry
entries so that the Trojan is run on system logon:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
WinDynManager = amsnmsg.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
WinDynManager = amsnmsg.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
WinDynManager = amsnmsg.exe
W32/SdBot-IA remains resident, listening for commands from remote users. If
the appropriate commands are received the worm will begin scanning the internet
for network shares with weak administrator passwords and will attempt to copy
itself to these shares.
This worm can also initiate Synflood attacks, exploit computers infected with
W32/MyDoom and attempt to steal CD keys from several computer games.
W32/SdBot-IA can also delete shared drives and exploit the DCOM vulnerability
on unpatched computers.
|
