high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Included in our products from | June 2006 (4.06) |
| Protection available since | 6 October 2004 08:52:21 (GMT) |
| Last updated | 20 April 2006 09:01:26 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Sdbot-PW is an IRC backdoor which spreads via network shares protected by weak passwords.
In order to run automatically when Windows starts up the worm copies itself to the file systemdev.exe in the Windows system folder.
W32/Sdbot-PW connects to an IRC server specified by the author and joins a channel from which it will receive further commands. These commands can start any of the following actions:
sock4 proxy server
UDP, SYN or PING flooding
TCP redirection
download files
execute arbitrary commands
install an updated version of the backdoor
search for available network shares for spreading
steal product keys
send raw IRC commands
The worm searches IP addresses randomly for network shares and attempts to access each one by trying many common usernames and passwords from a list. On gaining access the worm attempts to upload itself to the file GT.exe in the Windows system folder of the remote machine. A text file named "tpt.dat" will also be created, containing the username and password used to access the network share. Once these files have been transferred the worm executable will be run on the remote machine, infecting it.
W32/Sdbot-PW creates the following registry entries:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Internet Services = systemdev.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Internet Services = systemdev.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Internet Services = systemdev.exe
|
