[virusinfo] Sophos Anti-Virus IDE alert: W32/Sdbot-HB

• From: "Mike" <mikebike@xxxxxxxxx>
• To: virusinfo@xxxxxxxxxxxxx
• Date: Wed, 07 Apr 2004 09:02:08 -0700

From: Sophos Alert System:

Name: W32/Sdbot-HB
Aliases: Backdoor.IRCBot.gen, Win32/IRCBot.CL
Type: Win32 worm
Date: 7 April 2004

A virus identity (IDE) file which provides protection is
available now from the Sophos website, and will be incorporated
into the May 2004 (3.81) release of Sophos Anti-Virus.

Enterprise Manager and PureMessage customers will be
automatically protected at their next scheduled update.

At the time of writing, Sophos has received just one report of
this worm from the wild.


Information about W32/Sdbot-HB can be found at:
http://www.sophos.com/virusinfo/analyses/w32sdbothb.html
Description 
W32/Sdbot-HB is a worm which attempts to spread to remote network shares. It
also contains backdoor Trojan functionality, allowing unauthorised remote
access to the infected computer via IRC channels while running in the
background as a service process. 
W32/Sdbot-HB spreads to network shares with weak passwords as a result of
the backdoor Trojan element receiving the appropriate command from a remote
user. 

W32/Sdbot-HB copies itself to the Windows system folder as MPTCLOAXS.EXE and
creates an entry in the registry at the following location to run itself on
system startup: 

HKLM\Software\Microsoft\Windows\CurrentVersion\Run 

W32/Sdbot-HB attempts to terminate a number of process relating to
anti-virus and security products, as well as some relating to W32/Blaster-A
and its variants, including the following:
_AVP32.EXE
_AVPCC.EXE
_AVPM.EXE
ACKWIN32.EXE
ADVXDWIN.EXE
ALERTSVC.EXE
amon.exe
ANTITROJAN.EXE
ANTI-TROJAN.EXE
ANTS.EXE
APVXDWIN.EXE
AUTODOWN.EXE
AVCONSOL.EXE
AVE32.EXE
AVGCTRL.EXE
AVKSERV.EXE
AVNT.EXE
AVP.EXE
AVP32.EXE
AVPCC.EXE
AVPDOS32.EXE
AVPM.EXE
AVPTC32.EXE
AVPUPD.EXE
AVSCHED32.EXE
AVWIN95.EXE
AVWUPD32.EXE
BLACKD.EXE
BLACKICE.EXE
bot.exe
CCAPP.EXE
CCEVTMGR.EXE
CCPXYSVC.EXE
CFIADMIN.EXE
CFIAUDIT.EXE
CFINET.EXE
CFINET32.EXE
CLAW95.EXE
CLAW95CF.EXE
CLEANER.EXE
CLEANER3.EXE
CONNECTIONMONITOR.EXE
CPD.EXE
CPDCLNT.EXE
dcomx.exe
DEFWATCH.EXE
DFW.EXE
drweb.exe
Drweb32w.exe
drweb386.exe
Drwebupw.exe
Drwebwcl.exe
DUMP.EXE
DUMP1.EXE
DUMPED.EXE
DUMPED1.EXE
DVP95.EXE
DVP95_0.EXE
ECENGINE.EXE
enbiei.exe
ESAFE.EXE
ESPWATCH.EXE
EXPLORER32.EXE
F-AGNT95.EXE
FINDVIRU.EXE
FPROT.EXE
F-PROT.EXE
F-PROT95.EXE
FP-WIN.EXE
FRW.EXE
F-STOPW.EXE
GUARDDOG.EXE
IAMAPP.EXE
IAMSERV.EXE
IBMASN.EXE
IBMAVSP.EXE
ICLOAD95.EXE
ICLOADNT.EXE
ICMON.EXE
ICSUPP95.EXE
ICSUPPNT.EXE
IFACE.EXE
index.exe
IOMON98.EXE
IRIS.EXE
JEDI.EXE
KILL.EXE
KILLER.EXE
KPF4GUI.EXE
KPF4SS.EXE
LDNETMON.EXE
LOCKDOWN.EXE
LOCKDOWN2000.EXE
lolx.exe
LOOKOUT.EXE
LordPE.EXE
LordPE32.EXE
LUALL.EXE
MINILOG.EXE
MOOLIVE.EXE
MPFTRAY.EXE
msblast.exe
MSCONFIG.EXE
mslaugh.exe
mspatch.exe
N32SCANW.EXE
NAVAPSVC.EXE
NAVAPW32.EXE
NAVLU32.EXE
NAVNT.EXE
NAVW32.EXE
NAVWNT.EXE
NDD32.EXE
NETSTAT.EXE
NETUTILS.EXE
NISSERV.EXE
NISUM.EXE
NMAIN.EXE
nod.exe
nod32.exe
NORMIST.EXE
NPROTECT.EXE
NPSSVC.EXE
NTVDM.EXE
NUPGRADE.EXE
NVC95.EXE
NVSVC32.EXE
NWTOOL16.EXE
OUTPOST.EXE
PADMIN.EXE
PAVCL.EXE
PAVSCHED.EXE
PAVW.EXE
PCCWIN98.EXE
PCFWALLICON.EXE
penis32.exe
PERSFW.EXE
PM.exe
POPROXY.EXE
PORTMONITOR.EXE
PRKILLER.EXE
PROCDUMP.EXE
PROCDUMP32.EXE
PS.EXE
PSKILL.EXE
PSLIST.EXE
RAV7.EXE
RAV7WIN.EXE
REGEDIT.EXE
RESCUE.EXE
root32.exe
rpc.exe
rpctest.exe
RTVSCN95.EXE
RUNDDL31.EXE
SAFEWEB.EXE
SCAN32.EXE
SCAN95.EXE
SCANPM.EXE
SCRSCAN.EXE
scvhost.exe
SERV95.EXE
SMC.EXE
SPHINX.EXE
spider.exe
Spiderml.exe
spidernt.exe
SWEEP95.EXE
SWNETSUP.EXE
SymProxySvc.exe
SYSCFG32.EXE
SYSOTRAY32.EXE
TASKKILL.EXE
TASKLIST.EXE
TASKMGR.EXE
TBSCAN.EXE
TC.EXE
TCA.EXE
TCM.EXE
TCPDUMP.EXE
TCPDUMP32.EXE
TDS2-98.EXE
TDS2-NT.EXE
teekids.exe
tftpd.exe
VET95.EXE
VETTRAY.EXE
VPC32.EXE
VPTRAY.EXE
VSCAN40.EXE
VSECOMR.EXE
VSHWIN32.EXE
VSMON.EXE
VSSTAT.EXE
WEBSCANX.EXE
WFINDV32.EXE
WINDRIVER.EXE
WINEXEC.EXE
WINHEX.EXE
WINSOCK2_2.EXE
worm.exe
WRADMIN.EXE
WRCTRL.EXE
ZAPRO.EXE
ZONEALARM.EXE
 

This IDE file also includes detection for:

Troj/XDEM-A
http://www.sophos.com/virusinfo/analyses/trojxdema.html
Troj/DownLdr-XD
http://www.sophos.com/virusinfo/analyses/trojdownldrxd.html
W32/SdBot-JI
http://www.sophos.com/virusinfo/analyses/w32sdbotji.html
W32/SdBot-JM
http://www.sophos.com/virusinfo/analyses/w32sdbotjm.html
W32/SdBot-JN
http://www.sophos.com/virusinfo/analyses/w32sdbotjn.html
W32/SdBot-JK
http://www.sophos.com/virusinfo/analyses/w32sdbotjk.html
Troj/Kirsun-A
http://www.sophos.com/virusinfo/analyses/trojkirsuna.html
Troj/BeastDo-P
http://www.sophos.com/virusinfo/analyses/trojbeastdop.html
W32/Enterus-A
http://www.sophos.com/virusinfo/analyses/w32enterusa.html

Download the IDE file from:
http://www.sophos.com/downloads/ide/sdbot-hb.ide

Download all the IDE files available for the current version of 
Sophos Anti-Virus in a single compressed file. The file is
available in two formats:

Zip file:
http://www.sophos.com/downloads/ide/ides.zip

Self-extracting file:
http://www.sophos.com/downloads/ide/ides.exe

Read about how to use IDE files at
http://www.sophos.com/downloads/ide/using.html
---------------------------------------------------------------------
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages  http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance  and OWTA Charter Member 

Other related posts:

• » [virusinfo] Sophos Anti-Virus IDE alert: W32/Sdbot-HB

1. Home
2. virusinfo
3. Archive
4. 04-2004

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---