[virusinfo] W32/Sdbot-ZM

From: "Mike" <mikebike@xxxxxxxxx>
To: virusinfo@xxxxxxxxxxxxx
Date: Thu, 23 Jun 2005 18:41:10 -0700
From: Sophos Alert System:

Name: W32/Sdbot-ZM
Aliases: Backdoor.Win32.SdBot.yx
Type: Win32 worm
Date: 24 June 2005

Sophos has issued protection for W32/Sdbot-ZM.

At the time of writing, Sophos has received a small number of
reports of this worm from the wild.

Customers using EM Library, Enterprise Console, PureMessage or
any of our Sophos small business solutions will be automatically
protected at their next scheduled update.


Note: The IDE issued for W32/Sdbot-ZM at 04:54 (GMT) on 17 June
2005
also contained detection for Troj/Delbot-E, W32/Mytob-BN,
W32/Mytob-BO, W32/Mytob-BP and W32/Mytob-BM .
This IDE has now been updated to enhance detection
of W32/Mytob-BN.


Information about W32/Sdbot-ZM can be found at:
http://www.sophos.com/virusinfo/analyses/w32sdbotzm.html

W32/Sdbot-ZM is a network worm with backdoor Trojan functionality for the 
Windows platform. 
When first run, W32/Sdbot-ZM copies itself to the Windows system folder as 
nawdll32.exe and creates the following registry entries in order to run each 
time a user logs on: 
HKLM\SOFTWARE\Microsoft\Ole
nawdll32
"nawdll32.exe" 
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
nawdll32
"nawdll32.exe" 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
nawdll32
"nawdll32.exe" 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
nawdll32
"nawdll32.exe" 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
nawdll32
"nawdll32.exe" 
HKCU\Software\Microsoft\OLE
nawdll32
"nawdll32.exe" 
HKCU\System\CurrentControlSet\Control\Lsa
nawdll32
"nawdll32.exe" 
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
nawdll32
"nawdll32.exe" 
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
nawdll32
"nawdll32.exe" 
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
nawdll32
"nawdll32.exe" 
The worm spreads through network shares protected by weak passwords, MS-SQL 
servers and through various operating system vulnerabilities. 
W32/Sdbot-ZM connects to a predetermined IRC channel and awaits further 
commands from remote users. The backdoor component of W32/Sdbot-ZM can be 
instructed to perform the following functions: 
scan networks for vulnerabilities
download/execute arbitrary files
start an ftp server 
Patches for the vulnerabilities exploited by W32/Sdbot-ZM can be obtained from 
Microsoft at: 
http://www.microsoft.com/technet/security/bulletin/MS02-039.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx 

The W32/Sdbot-ZM virus identity file (IDE) includes detection for:


Troj/Delbot-E
http://www.sophos.com/virusinfo/analyses/trojdelbote.html
W32/Mytob-BN
http://www.sophos.com/virusinfo/analyses/w32mytobbn.html
W32/Mytob-BO
http://www.sophos.com/virusinfo/analyses/w32mytobbo.html
W32/Mytob-BP
http://www.sophos.com/virusinfo/analyses/w32mytobbp.html
W32/Mytob-BM
http://www.sophos.com/virusinfo/analyses/w32mytobbm.html

Customers with 3.xx or lower versions of Sophos Anti-Virus, 
who are not running EM Library, can manually download the IDE
for W32/Sdbot-ZM from:

http://www.sophos.com/downloads/ide/sdbot-zm.ide

Read about how to use IDE files at
http://www.sophos.com/support/knowledgebase/article/363.html


*********** MIKE"S REPLY SEPARATOR  ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages  http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance  and OWTA Charter Member
[virusinfo] W32/Sdbot-ZM

Other related posts:
