high
Summary
Summary
Action- More Information
| Included in our products from | January 2004 (3.77) |
|---|---|
| Protection available since | 4 December 2003 16:34:13 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing W32/Sdbot-L.
More Information
W32/Sdbot-L is a worm with a backdoor component that spreads via weakly protected network shares and by exploiting a vulnerability in the RPC functionality of Windows NT based operating systems.
In order to run automatically when Windows starts up the worm copies itself to the Windows system folder and adds the following registry entries pointing to this file:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
\NT Logging Service
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
\NT Logging Service
W32/Sdbot-L attempts to copy itself to network shares by using all possible combinations of the following usernames and passwords:
e
database
sql
Root
admin
Guest
Administrator
101
pw
mypass123
mypass
pw123
admin123
mypc123
mypc
love
Login
login
owner
home
zxcv
yxcv
qwer
secret
asdf
temp123
temp
test123
test
root
administrator
alpha
123abc
121212
2003
2002
enable
123asd
super
Internet
computer
server
123qwe
sybase
oracle
abc123
abcd
passwd
pass
000000
111
54321
654321
123456789
1234567
Password
Admin
1
12
123
12345
12345678
letmein
qwerty
7777
1111
asd#321
123456
6969
password
1234
xp
0
007
sex
god
a
aaa
abc
win
pc
xxx
When infecting another computer W32/Sdbot-L attempts to copy itself into one of the standard StartUp folders on the remote machine.
The worm has a backdoor component that allows a malicious user to remotely control a compromised computer via the IRC network.
W32/Sdbot-L also attempts to disable various antivirus and monitoring programs.
|
