W32/Sdbot-XK

Aliases	Backdoor.Win32.Agent.iy
Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


How it spreads	Network shares
Affected operating systems	Windows
Characteristics	Drops more malware
Included in our products from	June 2005 (3.94)
Protection available since	18 April 2005 20:19:26 (GMT)
Detected by	All Sophos products

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

More Information

Summary
Action
More Information

W32/Sdbot-XK is a network worm with backdoor functionality for the Windows platform.

W32/Sdbot-XK is capable of spreading to computers on the local network protected by weak passwords after receiving the appropriate backdoor command.

W32/Sdbot-XK will also attempt to spread by exploiting the following vulnerabilities:

RPC DCOM (MS03-026, MS03-039, MS04-012)
LSASS (MS04-011)
WorKStation service (MS03-049)
Microsoft SQL Server 2000 (pre service pack 3) (CAN-2002-0649)
Microsoft SQL servers with weak passwords

When first run, W32/Sdbot-XK moves itself to the Windows system folder as B.EXE. In order to run automatically each time a user logs in, W32/Sdbot-XK will set the following registry entries:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
b.exe
b.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
b.exe
b.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
b.exe
b.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
b.exe
b.exe

W32/Sdbot-XK will attempt to stealth itself by dropping and running a file named MSDIRECTX.SYS. This file runs as a service named "msdirectx" and is detected as Troj/NtRootK-F. The following registry branch will be created:

HKLM\SYSTEM\CurrentControlSet\Services\msdirectx

W32/Sdbot-XK runs continuously in the background, providing backdoor access to the infected computer over IRC channels.

W32/Sdbot-XK will modify the following registry entries in order to disable DCOM and close restrictions on IPC$ shares:

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1

W32/Sdbot-XK will also set the following registry entries:

HKCU\SYSTEM\CurrentControlSet\Control\Lsa
b.exe
b.exe

HKCU\Software\Microsoft\OLE
b.exe
b.exe

W32/Sdbot-XK will attempt to disable the Windows Internet Connection Firewall, Automatic Updates and Security Center by modifying the following registry entries:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Start

HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\Start

HKLM\SYSTEM\CurrentControlSet\Services\wscsv\Start

W32/Sdbot-XK can add and delete network shares and users on the infected computer.

W32/Sdbot-XK may modify the HOSTS file found in the <Windows system folder>\driver\etc folder in order to deny access to certain anti-virus websites. For example,

127.0.0.1 www.sophos.com
127.0.0.1 sophos.com

W32/Sdbot-XK will attempt to terminate a large number of security and anti-virus related processes.

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Sdbot-XK

Summary

Action

More Information