W32/Sdbot-RI

Category: Viruses and Spyware
Type: Win32 worm
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Sdbot-RI is a worm with backdoor Trojan functionality.

W32/Sdbot-RI spreads by copying a dropper file named AMQNF.EXE to computers on the local network protected by weak passwords. The dropper file is detected as W32/Sdbot-RI. The dropper file also drops and runs Troj/Ranck-BA.

When first run, W32/Sdbot-RI copies itself to the Windows system folder as ADDIT.EXE and runs this copy of the worm. In order to run each time a user logs on, W32/Sdbot-RI will set the following registry entries:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
1 = addit.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
1 = addit.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
1 = addit.exe

The worm runs continuously in the background providing backdoor access to the infected computer over IRC channels.

Sophos's anti-virus products include proactive protection technology, which can defend against new threats without requiring an update. Sophos customers have been protected against the dropper component of W32/Sdbot-RI (detected as Troj/Ranck-Gen) since version 3.85 with archive handling activated.