[virusinfo] W32/SdBot-BC
- From: "Mike" <mikebike@xxxxxxxxx>
- To: virusinfo@xxxxxxxxxxxxx
- Date: Fri, 28 May 2004 09:39:10 -0700
From; Sophos Alert System:
Name: W32/SdBot-BC
Type: Win32 worm
Date: 28 May 2004
A virus identity (IDE) file which provides protection is
available now from the Sophos website, and will be incorporated
into the July 2004 (3.83) release of Sophos Anti-Virus.
Customers using Enterprise Manager, PureMessage and any of the
Sophos small business solutions will be automatically protected
at their next scheduled update.
At the time of writing, Sophos has received just one report of
this worm from the wild.
Information about W32/SdBot-BC can be found at:
http://www.sophos.com/virusinfo/analyses/w32sdbotbc.html
Description
W32/Sdbot-BC is a worm and backdoor for the Windows platform.
W32/Sdbot-BC attempts to connect to a channel on a remote IRC server and
allow a malicious user remote access to the infected computer.
When executed, W32/Sdbot-BC copies itself to the windows system folder
with the filename userint.exe.
In order to run automatically when Windows starts up W32/Sdbot-BC creates
the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
NetLogon=userint.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
NetLogon=userint.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
NetLogon=userint.exe
W32/Sdbot-BC spreads by exploiting computers with weak passwords,
unpatched vulnerabilities and backdoors opened by other worms.
Recovery
Please follow the instructions for removing worms.
Check your administrator passwords and review network security.
You will also need to edit the following registry entries, if they are
present. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The
registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry'
menu, click 'Export Registry File'. In the 'Export range' panel, click
'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
NetLogon=userint.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
NetLogon=userint.exe
and delete them if they exist.
Each user has a registry area named HKEY_USERS\[code number indicating
user]\. For each user locate the entry:
HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\Run\NetLogon=userint.exe
and delete it if it exists.
Close the registry editor and reboot your computer.
This IDE file also includes detection for:
Troj/Startpa-DB
http://www.sophos.com/virusinfo/analyses/trojstartpadb.html
Troj/Dloader-R
http://www.sophos.com/virusinfo/analyses/trojdloaderr.html
Troj/Mainzz-A
http://www.sophos.com/virusinfo/analyses/trojmainzza.html
Troj/Mainzz-B
http://www.sophos.com/virusinfo/analyses/trojmainzzb.html
Troj/Mainzz-C
http://www.sophos.com/virusinfo/analyses/trojmainzzc.html
Troj/Mainzz-D
http://www.sophos.com/virusinfo/analyses/trojmainzzd.html
Troj/Boxed-A
http://www.sophos.com/virusinfo/analyses/trojboxeda.html
W32/Korgo-C
http://www.sophos.com/virusinfo/analyses/w32korgoc.html
W32/Agobot-JJ
http://www.sophos.com/virusinfo/analyses/w32agobotjj.html
Download the IDE file from:
http://www.sophos.com/downloads/ide/sdbot-bc.ide
Download all the IDE files available for the current version of
Sophos Anti-Virus in a single compressed file. The file is
available in two formats:
Zip file:
http://www.sophos.com/downloads/ide/ides.zip
Self-extracting file:
http://www.sophos.com/downloads/ide/ides.exe
Read about how to use IDE files at
http://www.sophos.com/downloads/ide/using.html
*********** MIKE"S REPLY SEPARATOR ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance and OWTA Charter Member
Other related posts:
- » [virusinfo] W32/SdBot-BC
