Fom; Sophos Alert System: Name: W32/Sdbot-XH Aliases: W32.Spybot.Worm, WORM_SDBOT.BHU Type: Win32 worm Date: 19 April 2005 A virus identity (IDE) file which provides protection is available now from the Sophos website, and will be incorporated into the June 2005 (3.94) release of Sophos Anti-Virus. Customers using EM Library, PureMessage or any of our Sophos small business solutions will be automatically protected at their next scheduled update. At the time of writing, Sophos has received a small number of reports of this worm from the wild. Information about W32/Sdbot-XH can be found at: http://www.sophos.com/virusinfo/analyses/w32sdbotxh.html W32/Sdbot-XH is a network worm with backdoor Trojan functionality for the Windows platform. When first run, W32/Sdbot-XH copies itself to the Windows system folder as windesktop.exe, and in order to be able to run automatically when Windows starts up sets the following registry entries in order to run each time a user logs on: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ Windows Desktop Controler windesktop.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ Windows Desktop Controler windesktop.exe HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices\ Windows Desktop Controler windesktop.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ Windows Desktop Controler windesktop.exe The worm sets the following registry entries, disabling the automatic startup of other software: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\ Start 4 HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\ Start 4 HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\ Start 4 HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\ Start 4 Registry entries are also created under: HKCU\Software\Microsoft\OLE\ HKLM\SOFTWARE\Microsoft\Ole\ The worm spreads through network shares protected by weak passwords, MS-SQL servers and through various operating system vulnerabilities. W32/Sdbot-XH connects to a predetermined IRC channel and awaits further commands from remote users. The backdoor component of W32/Sdbot-XH can be instructed to perform the following functions: scan networks for vulnerabilities download/execute arbitrary files start an ftp server Patches for the vulnerabilities exploited by W32/Sdbot-XH can be obtained from Microsoft at: http://www.microsoft.com/technet/security/bulletin/MS02-039.mspx http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx W32/Sdbot-XH also drops a file to the current folder as msdirectx.sys. The dropped file is detected by Sophos's anti-virus products as Troj/NtRootK-F. The worm changes the Windows HOSTS file in attempt to prevent access to sites from the following list: avp.com ca.com customer.symantec.com dispatch.mcafee.com download.mcafee.com f-secure.com kaspersky.com kaspersky-labs.com liveupdate.symantec.com liveupdate.symantecliveupdate.com mast.mcafee.com mcafee.com my-etrust.com nai.com networkassociates.com rads.mcafee.com secure.nai.com securityresponse.symantec.com sophos.com symantec.com trendmicro.com update.symantec.com updates.symantec.com us.mcafee.com viruslist.com www.avp.com www.ca.com www.f-secure.com www.grisoft.com www.kaspersky.com www.mcafee.com www.my-etrust.com www.nai.com www.networkassociates.com www.sophos.com www.symantec.com www.trendmicro.com www.viruslist.com W32/Sdbot-XH terminates a number of processes including those related to various AV and security applications as well as system tools and other Worms and Trojans. This IDE file also includes detection for: W32/Forbot-EV http://www.sophos.com/virusinfo/analyses/w32forbotev.html Troj/Proxyser-H http://www.sophos.com/virusinfo/analyses/trojproxyserh.html Troj/Dropper-AJ http://www.sophos.com/virusinfo/analyses/trojdropperaj.html Troj/Dloader-MI http://www.sophos.com/virusinfo/analyses/trojdloadermi.html Troj/Proxyser-I http://www.sophos.com/virusinfo/analyses/trojproxyseri.html Troj/Bifrose-AJ http://www.sophos.com/virusinfo/analyses/trojbifroseaj.html Troj/Prorat-L http://www.sophos.com/virusinfo/analyses/trojproratl.html W32/Rbot-AAW http://www.sophos.com/virusinfo/analyses/w32rbotaaw.html Troj/LdPinch-AW http://www.sophos.com/virusinfo/analyses/trojldpinchaw.html Download the IDE file from: http://www.sophos.com/downloads/ide/sdbot-xh.ide Download all the IDE files available for the current version of Sophos Anti-Virus in a single compressed file. The file is available in two formats: Zip file: http://www.sophos.com/downloads/ide/ides.zip Self-extracting file: http://www.sophos.com/downloads/ide/ides.exe Read about how to use IDE files at http://www.sophos.com/downloads/ide/using.html *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member