high
Summary
Summary
Action- More Information
| Included in our products from | September 2004 (3.85) |
|---|---|
| Protection available since | 14 July 2004 11:26:37 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please read the instructions for removing W32/Sdbot-KF.
More Information
W32/Sdbot-KF is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process.
W32/Sdbot-KF copies itself to the Windows system folder as WINUSER32.EXE and creates entries in the registry at the following locations so as to run itself on system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
W32/Sdbot-KF attempts to terminate some processes relating to antivirus and security programs including REGEDIT.EXE, PING.EXE and NETSTAT.EXE.
W32/Sdbot-KF attempts to set the following registry entry to prevent access to some registry tools:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\
DisableRegistryTools = 1
W32/Sdbot-KF spreads to network shares with weak passwords and via network security exploits as a result of the backdoor Trojan element receiving the appropriate command from a remote user, copying itself to NTLORD.EXE on the local computer at the same time.
W32/Sdbot-KF may log user keystrokes to a file called KEYLOG.TXT and network information to a file called SCANZ.TXT.
|
