From: Sophos Alert System: Name: W32/Sdbot-HB Aliases: Backdoor.IRCBot.gen, Win32/IRCBot.CL Type: Win32 worm Date: 7 April 2004 A virus identity (IDE) file which provides protection is available now from the Sophos website, and will be incorporated into the May 2004 (3.81) release of Sophos Anti-Virus. Enterprise Manager and PureMessage customers will be automatically protected at their next scheduled update. At the time of writing, Sophos has received just one report of this worm from the wild. Information about W32/Sdbot-HB can be found at: http://www.sophos.com/virusinfo/analyses/w32sdbothb.html Description W32/Sdbot-HB is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process. W32/Sdbot-HB spreads to network shares with weak passwords as a result of the backdoor Trojan element receiving the appropriate command from a remote user. W32/Sdbot-HB copies itself to the Windows system folder as MPTCLOAXS.EXE and creates an entry in the registry at the following location to run itself on system startup: HKLM\Software\Microsoft\Windows\CurrentVersion\Run W32/Sdbot-HB attempts to terminate a number of process relating to anti-virus and security products, as well as some relating to W32/Blaster-A and its variants, including the following: _AVP32.EXE _AVPCC.EXE _AVPM.EXE ACKWIN32.EXE ADVXDWIN.EXE ALERTSVC.EXE amon.exe ANTITROJAN.EXE ANTI-TROJAN.EXE ANTS.EXE APVXDWIN.EXE AUTODOWN.EXE AVCONSOL.EXE AVE32.EXE AVGCTRL.EXE AVKSERV.EXE AVNT.EXE AVP.EXE AVP32.EXE AVPCC.EXE AVPDOS32.EXE AVPM.EXE AVPTC32.EXE AVPUPD.EXE AVSCHED32.EXE AVWIN95.EXE AVWUPD32.EXE BLACKD.EXE BLACKICE.EXE bot.exe CCAPP.EXE CCEVTMGR.EXE CCPXYSVC.EXE CFIADMIN.EXE CFIAUDIT.EXE CFINET.EXE CFINET32.EXE CLAW95.EXE CLAW95CF.EXE CLEANER.EXE CLEANER3.EXE CONNECTIONMONITOR.EXE CPD.EXE CPDCLNT.EXE dcomx.exe DEFWATCH.EXE DFW.EXE drweb.exe Drweb32w.exe drweb386.exe Drwebupw.exe Drwebwcl.exe DUMP.EXE DUMP1.EXE DUMPED.EXE DUMPED1.EXE DVP95.EXE DVP95_0.EXE ECENGINE.EXE enbiei.exe ESAFE.EXE ESPWATCH.EXE EXPLORER32.EXE F-AGNT95.EXE FINDVIRU.EXE FPROT.EXE F-PROT.EXE F-PROT95.EXE FP-WIN.EXE FRW.EXE F-STOPW.EXE GUARDDOG.EXE IAMAPP.EXE IAMSERV.EXE IBMASN.EXE IBMAVSP.EXE ICLOAD95.EXE ICLOADNT.EXE ICMON.EXE ICSUPP95.EXE ICSUPPNT.EXE IFACE.EXE index.exe IOMON98.EXE IRIS.EXE JEDI.EXE KILL.EXE KILLER.EXE KPF4GUI.EXE KPF4SS.EXE LDNETMON.EXE LOCKDOWN.EXE LOCKDOWN2000.EXE lolx.exe LOOKOUT.EXE LordPE.EXE LordPE32.EXE LUALL.EXE MINILOG.EXE MOOLIVE.EXE MPFTRAY.EXE msblast.exe MSCONFIG.EXE mslaugh.exe mspatch.exe N32SCANW.EXE NAVAPSVC.EXE NAVAPW32.EXE NAVLU32.EXE NAVNT.EXE NAVW32.EXE NAVWNT.EXE NDD32.EXE NETSTAT.EXE NETUTILS.EXE NISSERV.EXE NISUM.EXE NMAIN.EXE nod.exe nod32.exe NORMIST.EXE NPROTECT.EXE NPSSVC.EXE NTVDM.EXE NUPGRADE.EXE NVC95.EXE NVSVC32.EXE NWTOOL16.EXE OUTPOST.EXE PADMIN.EXE PAVCL.EXE PAVSCHED.EXE PAVW.EXE PCCWIN98.EXE PCFWALLICON.EXE penis32.exe PERSFW.EXE PM.exe POPROXY.EXE PORTMONITOR.EXE PRKILLER.EXE PROCDUMP.EXE PROCDUMP32.EXE PS.EXE PSKILL.EXE PSLIST.EXE RAV7.EXE RAV7WIN.EXE REGEDIT.EXE RESCUE.EXE root32.exe rpc.exe rpctest.exe RTVSCN95.EXE RUNDDL31.EXE SAFEWEB.EXE SCAN32.EXE SCAN95.EXE SCANPM.EXE SCRSCAN.EXE scvhost.exe SERV95.EXE SMC.EXE SPHINX.EXE spider.exe Spiderml.exe spidernt.exe SWEEP95.EXE SWNETSUP.EXE SymProxySvc.exe SYSCFG32.EXE SYSOTRAY32.EXE TASKKILL.EXE TASKLIST.EXE TASKMGR.EXE TBSCAN.EXE TC.EXE TCA.EXE TCM.EXE TCPDUMP.EXE TCPDUMP32.EXE TDS2-98.EXE TDS2-NT.EXE teekids.exe tftpd.exe VET95.EXE VETTRAY.EXE VPC32.EXE VPTRAY.EXE VSCAN40.EXE VSECOMR.EXE VSHWIN32.EXE VSMON.EXE VSSTAT.EXE WEBSCANX.EXE WFINDV32.EXE WINDRIVER.EXE WINEXEC.EXE WINHEX.EXE WINSOCK2_2.EXE worm.exe WRADMIN.EXE WRCTRL.EXE ZAPRO.EXE ZONEALARM.EXE This IDE file also includes detection for: Troj/XDEM-A http://www.sophos.com/virusinfo/analyses/trojxdema.html Troj/DownLdr-XD http://www.sophos.com/virusinfo/analyses/trojdownldrxd.html W32/SdBot-JI http://www.sophos.com/virusinfo/analyses/w32sdbotji.html W32/SdBot-JM http://www.sophos.com/virusinfo/analyses/w32sdbotjm.html W32/SdBot-JN http://www.sophos.com/virusinfo/analyses/w32sdbotjn.html W32/SdBot-JK http://www.sophos.com/virusinfo/analyses/w32sdbotjk.html Troj/Kirsun-A http://www.sophos.com/virusinfo/analyses/trojkirsuna.html Troj/BeastDo-P http://www.sophos.com/virusinfo/analyses/trojbeastdop.html W32/Enterus-A http://www.sophos.com/virusinfo/analyses/w32enterusa.html Download the IDE file from: http://www.sophos.com/downloads/ide/sdbot-hb.ide Download all the IDE files available for the current version of Sophos Anti-Virus in a single compressed file. The file is available in two formats: Zip file: http://www.sophos.com/downloads/ide/ides.zip Self-extracting file: http://www.sophos.com/downloads/ide/ides.exe Read about how to use IDE files at http://www.sophos.com/downloads/ide/using.html --------------------------------------------------------------------- Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member