high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Included in our products from | July 2005 (3.95) |
| Protection available since | 19 April 2005 21:17:15 (GMT) |
| Last updated | 16 May 2005 20:06:49 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Windows NT/2000/XP/2003
In Windows NT/2000/XP/2003 you will also need to edit the following registry entries. The removal of these entries is optional in Windows 95/98/Me. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
and remove any reference to any file you deleted.
Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entry:
HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\Run\
and remove any reference to any file you deleted.
Close the registry editor.
More Information
W32/Sdbot-XL is a worm with backdoor Trojan functionality.
The worm allows a remote intruder to gain access and control over the system via IRC channels. The worm may also spread to remote network shares.
When first run the worm copies itself to the Windows system folder as HMLSVC32.EXE and creates the following registry entries in order to run itself each time a user logs on:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HML PowerSource
hmlsvc32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HML PowerSource
hmlsvc32.exe
|
