Sophos

W32/Sdbot-LT

Aliases
  • Backdoor.SdBot.gen
Category
Type
What to do
Prevalence low high

Summary

 
How it spreads
  • Email attachments
  • Network shares
  • Web downloads
  • Chat programs
Affected operating systems Windows
Characteristics
  • Installs itself in the registry
Included in our products from September 2004 (3.85)
Protection available since 6 August 2004 09:14:18 (GMT)
Detected by All Sophos products

Action

Please follow the instructions for removing worms.

You will also need to edit the following registry entries, if present. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Configuration = ntsyst32.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Configuration = ntsyst32.exe

and delete them if they exist.

Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entry:

HKCU\[code number]\Software\Microsoft\Windows\CurrentVersion\Run\
Configuration = ntsyst32.exe

and delete it if it exists.

Close the registry editor.

Check your administrator passwords and review network security.

More Information

W32/Sdbot-LT is a worm which spreads via network shares.

When first run the worm will create a copy of itself named ntsyst32.exe in the Windows System folder and create the following registry entries to ensure that the copy is run every time Windows starts:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Configuration = ntsyst32.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Configuration = ntsyst32.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Configuration = ntsyst32.exe

W32/Sdbot-LT searches for shared folders with weak passwords and copies itself to the Windows System folder of a vulnerable computer as ntsyst32.exe.

W32/Sdbot-LT may also drop a backup copy of itself into payload.dat

The worm includes backdoor functions which can be controlled by a remote attacker over IRC. The infected computer can be used to perform any of the following functions:

  • Proxy server (SOCKS4)
  • FTP server
  • SMTP server
  • File system Manipulation
  • Port scanner
  • DDoS floods (TCP,UDP,SYN)
  • Remote shell (RLOGIN)

RSS|Atom
Get reports about the latest virus and spyware threats delivered to your computer