W32/Sdbot-ACI is a worm and IRC backdoor Trojan for the Windows platform.
W32/Sdbot-ACI spreads to other network computers by exploiting common buffer overflow vulnerabilites, including: LSASS (MS04-011) and PnP (MS05-039) and by copying itself to network shares protected by weak passwords.
W32/Sdbot-ACI runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
W32/Sdbot-ACI includes functionality to:
- silently download, install and run new software, including updates of its software and other malicious executables
- send notification messages to remote locations
When first run W32/Sdbot-ACI copies itself to <System>\usrnt\windrg32.exe. The worm creates the file <System>\usrnt\newshashes.bin - this may be deleted.
The following registry entry is created to run windrg32.exe on startup:
W32/Sdbot-ACI may attempt to terminate the following processes:
The worm may then attempt to remove the following folders (including executable files within):
<Program Files>\Common Files\GMT
<Program Files>\Common Files\CMEII
W32/Sdbot-ACI may attempt to access remote websites to download RSS feeds.
The following patches for the operating system vulnerabilities exploited by W32/Sdbot-ACI can be obtained from the Microsoft website: