high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Included in our products from | December 2004 (3.88) |
| Protection available since | 16 August 2004 08:09:31 (GMT) |
| Last updated | 13 October 2004 07:25:23 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
You will also need to edit the following registry entries, if present. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Configuration
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Configuration
and remove any reference to any file you deleted.
Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entry:
HKCU\[code number]\Software\Microsoft\Windows\CurrentVersion\Run\Configuration
and remove any reference to any file you deleted.
Close the registry editor.
More Information
W32/Sdbot-ML is a member of the W32/Sdbot family of worms.
In order to run automatically when Windows starts up the worm copies itself to the file explorer32.exe in the Windows system folder and adds the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Configuration
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Configuration
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Configuration
W32/Sdbot-ML connects to a remote IRC server and allows a malicious user remote access to an infected computer.
|
