[virusinfo] W32/Sdbot-WM

• From: "Mike" <mikebike@xxxxxxxxx>
• To: virusinfo@xxxxxxxxxxxxx
• Date: Mon, 25 Apr 2005 15:42:54 -0700

From; Sophos Alert System:

Name: W32/Sdbot-WM
Aliases: Backdoor.Win32.SdBot.un
Type: Win32 worm
Date: 25 April 2005

A virus identity (IDE) file which provides protection is
available now from the Sophos website, and will be incorporated
into the June 2005 (3.94) release of Sophos Anti-Virus.

Customers using EM Library, PureMessage or any of our Sophos
small business solutions will be automatically protected at
their next scheduled update.

At the time of writing, Sophos has received a small number of
reports of this worm from the wild.


Note: The IDE issued for W32/Sdbot-WM at 29 March 2005 13:16:33
(GMT) also contained detection for Troj/Zapchas-F, Troj/Small-DV
and Troj/Servu-AR. This IDE has now been updated to enhance
detection of Troj/Zapchas-F.

Information about W32/Sdbot-WM can be found at:
http://www.sophos.com/virusinfo/analyses/w32sdbotwm.html

W32/Sdbot-WM is a worm which attempts to spread to remote network shares. It 
also contains backdoor Trojan functionality, allowing unauthorised remote 
access to the infected computer via IRC channels. 
W32/Sdbot-WM attempts to spread to network shares with weak passwords. 
W32/Sdbot-WM copies itself to the Windows system folder as MSNMSGR.EXE and 
creates entries at the following locations in the registry with the value 
"Microsoft Windows Update" so as to run itself on system startup: 
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersion\Run 
W32/Sdbot-WM may attempt to send a message via certain instant messenger 
programs to encourage users to download a file from the website 
http://kasized.com. At the time of writing this file was unavailable for 
download. 
W32/Sdbot-WM may set the following registry entry: 
HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM = "N" 
W32/Sdbot-WM may attempt to delete network shares on the host computer. 
W32/Sdbot-WM may attempt to log keystrokes to the file KEYLOG.TXT in the 
Windows system folder. 
W32/Sdbot-WM also copies itself to the filename MSNCFG.DAT and may also copy 
itself to the filename PAYLOAD.DAT. 

This IDE file also includes detection for:

Troj/Zapchas-F
http://www.sophos.com/virusinfo/analyses/trojzapchasf.html
Troj/Small-DV
http://www.sophos.com/virusinfo/analyses/trojsmalldv.html
Troj/Servu-AR
http://www.sophos.com/virusinfo/analyses/trojservuar.html

Download the IDE file from:
http://www.sophos.com/downloads/ide/sdbot-wm.ide

Download all the IDE files available for the current version of 
Sophos Anti-Virus in a single compressed file. The file is
available in two formats:

Zip file:
http://www.sophos.com/downloads/ide/ides.zip

Self-extracting file:
http://www.sophos.com/downloads/ide/ides.exe

Read about how to use IDE files at
http://www.sophos.com/downloads/ide/using.html


*********** MIKE"S REPLY SEPARATOR  ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages  http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance  and OWTA Charter Member 

Other related posts:

• » [virusinfo] W32/Sdbot-WM
• » [virusinfo] W32/Sdbot-WM

1. Home
2. virusinfo
3. Archive
4. 04-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---