Sophos

W32/Sdbot-XC

Aliases
  • Backdoor.Win32.Agobot.abl
Category
Type
What to do
Prevalence low high

Summary

 
How it spreads
  • Network shares
Affected operating systems Windows
Characteristics
  • Drops more malware
  • Installs itself in the registry
Included in our products from June 2005 (3.94)
Protection available since 14 April 2005 20:36:49 (GMT)
Detected by All Sophos products

Action

More Information

W32/Sdbot-XC is a network worm with backdoor functionality for the Windows platform.

The worm spreads through network shares protected by weak passwords, MS-SQL servers and through various operating system vulnerabilities.

Patches for the vulnerabilities exploited by W32/Sdbot-XC can be obtained from Microsoft at:

http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx
http://www.microsoft.com/technet/security/bulletin/ms03-039.mspx W32/Sdbot-XC is a network worm with backdoor functionality for the Windows platform.

When first run, W32/Sdbot-XC copies itself to the Windows system folder as systeminfos.exe and creates the following registry entries in order to run each time a user logs on:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Compaq Service Drivers
systeminfos.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Compaq Service Drivers
systeminfos.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Compaq Service Drivers
systeminfos.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices\
Compaq Service Drivers
systeminfos.exe

The worm spreads through network shares protected by weak passwords, MS-SQL servers and through various operating system vulnerabilities.

W32/Sdbot-XC connects to a predetermined IRC channel and awaits further commands from remote users. The backdoor component of W32/Sdbot-XC can be instructed to perform the following functions:

scan networks for vulnerabilities
download/execute arbitrary files
start an ftp server

Patches for the vulnerabilities exploited by W32/Sdbot-XC can be obtained from Microsoft at:

http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx
http://www.microsoft.com/technet/security/bulletin/ms03-039.mspx

W32/Sdbot-XC also drops a file to the current folder as msdirectx.sys. The dropped file is detected by Sophos's anti-virus products as Troj/NtRootK-F.

W32/Sdbot-XC terminates a number of processes including ones related to various AV and security applications as well as TASKMGR.EXE and REGEDIT.EXE.

RSS|Atom
Get reports about the latest virus and spyware threats delivered to your computer