W32/Sdbot-PO

Category: Viruses and Spyware
Type: Win32 worm
Prevalence: No Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Sdbot-PO is a network worm and backdoor for the Windows platform. The worm spreads to shared folders with weak passwords.

The backdoor component connects to a predefined IRC server and waits for commands from a remote attacker.

When run W32/Sdbot-PO copies itself to the Windows system folder as fddwqt.exe. The worm ensures that the copy is run each time Windows starts by adding the registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
msjdqs = fddwqt.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
msjdqs = fddwqt.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
msjdqs = fddwqt.exe

The backdoor component allows a remote attacker to:

transfer files to and from the infected computer
steal CD keys for certain game software
use the infected computer as a proxy server
launch distributed denial of service attacks

Sophos anti-virus products since version 3.84 have been capable of detecting this worm as W32/Sdbot-Fam without requiring an update.