[virusinfo] W32/Sdbot-WK

• From: "Mike" <mikebike@xxxxxxxxx>
• To: virusinfo@xxxxxxxxxxxxx
• Date: Mon, 28 Mar 2005 14:48:33 -0800

From; Sophos Alert System:

Name: W32/Sdbot-WK
Type: Win32 worm
Date: 28 March 2005

A virus identity (IDE) file which provides protection is
available now from the Sophos website, and will be incorporated
into the May 2005 (3.93) release of Sophos Anti-Virus.

Customers using EM Library, PureMessage or any of our Sophos
small business solutions will be automatically protected at
their next scheduled update.

At the time of writing, Sophos has received a small number of
reports of this worm from the wild.


Information about W32/Sdbot-WK can be found at:
http://www.sophos.com/virusinfo/analyses/w32sdbotwk.html

W32/Sdbot-WK is a network worm with backdoor functionality for the Windows 
platform. 
W32/Sdbot-WK is capable of spreading to computers on the local network 
protected by weak passwords after receiving the appropriate backdoor command. 
W32/Sdbot-WK will also attempt to spread by exploiting the following 
vulnerabilities: 
RPC DCOM (MS03-026, MS03-039, MS04-012)
LSASS (MS04-011)
WorKStation service (MS03-049)
Microsoft SQL Server 2000 (pre service pack 3) (CAN-2002-0649)
Microsoft SQL servers with weak passwords 
When first run, W32/Sdbot-WK moves itself to the Windows system folder as 
PC.EXE. In order to run automatically each time a user logs on, W32/Sdbot-WK 
will set the following registry entries: 
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Service Drivers
PC.EXE 
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
Service Drivers
PC.EXE 
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Service Drivers
PC.EXE 
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Service Drivers
PC.EXE 
W32/Sdbot-WK will attempt to stealth itself by dropping and running a file 
named MSDIRECTX.SYS. This file runs as a service named "msdirectx" and is 
detected as Troj/NtRootK-F. 
W32/Sdbot-WK runs continuously in the background, providing backdoor access to 
the infected computer over IRC channels. 
W32/Sdbot-WK will modify the following registry entries in order to disable 
DCOM and close restrictions on IPC$ shares: 
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N 
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1 
W32/Sdbot-WK will attempt to disable the Windows Internet Connection Firewall 
and Automatic Updates by modifying the following registry entries: 
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Start 
HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\Start 
W32/Sdbot-WK can add and delete network shares and users on the infected 
computer. 
W32/Sdbot-WK may modify the HOSTS file found in the %SYSTEM%\driver\etc folder 
in order to deny access to certain anti-virus websites. For example, 
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com 
W32/Sdbot-WK will attempt to terminate a large number of security and 
anti-virus related processes. 

This IDE file also includes detection for:

Troj/Agent-CR
http://www.sophos.com/virusinfo/analyses/trojagentcr.html
Troj/Spybot-DM
http://www.sophos.com/virusinfo/analyses/trojspybotdm.html
Troj/Bdoor-FX
http://www.sophos.com/virusinfo/analyses/trojbdoorfx.html
Troj/Dluca-DN
http://www.sophos.com/virusinfo/analyses/trojdlucadn.html
Troj/Certif-D
http://www.sophos.com/virusinfo/analyses/trojcertifd.html
Troj/Dloader-KC
http://www.sophos.com/virusinfo/analyses/trojdloaderkc.html
Troj/Banker-MO
http://www.sophos.com/virusinfo/analyses/trojbankermo.html

Download the IDE file from:
http://www.sophos.com/downloads/ide/sdbot-wk.ide

Download all the IDE files available for the current version of 
Sophos Anti-Virus in a single compressed file. The file is
available in two formats:

Zip file:
http://www.sophos.com/downloads/ide/ides.zip

Self-extracting file:
http://www.sophos.com/downloads/ide/ides.exe

Read about how to use IDE files at
http://www.sophos.com/downloads/ide/using.html

*********** MIKE"S REPLY SEPARATOR  ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages  http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance  and OWTA Charter Member 

Other related posts:

• » [virusinfo] W32/Sdbot-WK

1. Home
2. virusinfo
3. Archive
4. 03-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---