W32/Sdbot-SK

Category: Viruses and Spyware
Type: Win32 worm
Prevalence: No Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Sdbot-SK is a Windows worm that contains backdoor functions that allow unauthorised remote access to the infected computer via IRC channels while running in the background.

When run W32/Sdbot-SK copies itself to the Windows system folder as Xfsa.exe.

The worm also creates the following registry entries so that it is able to run on computer logon:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Depassx
Xfsa.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Depassx
Xfsa.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Depassx
Xfsa.exe

W32/Sdbot-SK can also be dropped by another Windows Trojan, Troj/Multi-BF, which persists as the filename respond.exe. The worm attempts to spread to network shares using the Trojan filename respond.exe.

W32/Sdbot-SK will try to particpate in denial-of-service (DoS) attacks and download and run files from the internet when instructed to do so by a remote attacker.