W32/Sdbot-UQ

Please follow the instructions for removing worms.

You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

and remove any reference to any file you deleted.

Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entry:

HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\Run\

and remove any reference to any file you deleted.

Close the registry editor.

W32/Sdbot-UQ is a worm with backdoor Trojan functionality.

W32/Sdbot-UQ spreads by copying a file named GOSOSIJO.EXE to computers on the local network protected by weak passwords. This file is detected as W32/Multidr-BV which drops and runs a copy of W32/Sdbot-UQ and Troj/Ranck-CF.

When first run, W32/Sdbot-UQ copies itself to the Windows system folder as EXOBABA.EXE and runs this copy of the worm. In order to run each time a user logs on, W32/Sdbot-UQ will set the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
xevivi
exobaba.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
xevivi
exobaba.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
xevivi
exobaba.exe

The worm runs continuously in the background providing backdoor access to the infected computer over IRC channels.

Sophos's anti-virus products include proactive protection technology, which can defend against new threats without requiring an update. Sophos customers have been protected against W32/Sdbot-UQ (detected as W32/Sdbot-Fam) since version 3.89.