W32/Sdbot-TB

Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


How it spreads	Chat programs
Affected operating systems	Windows
Characteristics	Installs itself in the registry
Included in our products from	February 2005 (3.90)
Protection available since	7 January 2005 13:26:41 (GMT)
Detected by	All Sophos products

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

More Information

Summary
Action
More Information

W32/Sdbot-TB is a Windows network worm that contains backdoor functions that allow unauthorised remote access to the infected computer via IRC channels.

Once installed, W32/Sdbot-TB is able to setup an HTTP proxy server, participate in denial-of-service (DoS) attacks, steal computer information and log keystrokes to the file keys.txt in the Windows System folder when instructed to do so by a remote attacker.

The worm also tries to spread using DCC file transfers over IRC channels. W32/Sdbot-TB is a Windows network worm that contains backdoor functions that allow unauthorised remote access to the infected computer via IRC channels.

When run the worm copies itself to the Windows System folder as wupdated.exe. On Windows NT-based operating systems, W32/Sdbot-TB creates its own service named "Wupdated" with the display name "Windows Update Service" and creates the following registry entries so as to run itself on computer logon:

HKLM\SYSTEM\CurrentControlSet\Services\Wupdated\Security

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WUPDATED

W32/Sdbot-TB also attempts to spread to remote networks protected by weak passwords as wupdated.exe.

Once installed, W32/Sdbot-TB is able to setup a HTTP proxy server, participate in denial-of-service (DoS) attacks, steal computer information and log keystrokes to the file keys.txt in the Windows System folder when instructed to do so by a remote attacker.

The worm also tries to spread using DCC file transfers over IRC channels by sending messages with the following characteristics:

The message text can be of any of the following:

dude, chk out this new AdminMOD exploit, it gives you admin
privs on any server running AM, plz dont give it out tho, thnx

i just caught this guy cheating with the Cheat Scanner in the
CAL Demo Viewer, chk it out

omfg this is so cool! i just caught this guy cheating with
this cal demoviewer or whatever its called, here's a copy of it

Here is the new CAL Demo Viewer, it includes: Cheat Scanner,
3rd Person Viewer, Rotational Image Scan, and lots more

W32/Sdbot-TB then attaches itself to the message as any of the following filenames:

AdminMOD-ExploitHack.exe
cheater-caught.pif
CAL-DemoViewer.exe
Setup.exe

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Sdbot-TB

Summary

Action

More Information