[virusinfo] W32/Sdbot-XH
- From: "Mike" <mikebike@xxxxxxxxx>
- To: virusinfo@xxxxxxxxxxxxx
- Date: Wed, 20 Apr 2005 08:40:11 -0700
From; Sophos Alert System:
Name: W32/Sdbot-XH
Aliases: W32.Spybot.Worm, WORM_SDBOT.BHU
Type: Win32 worm
Date: 20 April 2005
A virus identity (IDE) file which provides protection is
available now from the Sophos website, and will be incorporated
into the June 2005 (3.94) release of Sophos Anti-Virus.
Customers using EM Library, PureMessage or any of our Sophos
small business solutions will be automatically protected at
their next scheduled update.
At the time of writing, Sophos has received a small number of
reports of this worm from the wild.
Note: The IDE issued for W32/Sdbot-XH at 12:32 GMT on 19 April
also contained detection for W32/Forbot-EV, Troj/Proxyser-H,
Troj/Dropper-AJ, Troj/Dloader-MI, Troj/Proxyser-I,
Troj/Bifrose-AJ, Troj/Prorat-L, W32/Rbot-AAW and
Troj/LdPinch-AW. This IDE has now been updated to resolve
problems with detection of Troj/Bifrose-AJ.
Information about W32/Sdbot-XH can be found at:
http://www.sophos.com/virusinfo/analyses/w32sdbotxh.html
W32/Sdbot-XH is a network worm with backdoor Trojan functionality for the
Windows platform.
When first run, W32/Sdbot-XH copies itself to the Windows system folder as
windesktop.exe, and in order to be able to run automatically when Windows
starts up sets the following registry entries in order to run each time a user
logs on:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Desktop Controler
windesktop.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Windows Desktop Controler
windesktop.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices\
Windows Desktop Controler
windesktop.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
Windows Desktop Controler
windesktop.exe
The worm sets the following registry entries, disabling the automatic startup
of other software:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\
Start
4
HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\
Start
4
Registry entries are also created under:
HKCU\Software\Microsoft\OLE\
HKLM\SOFTWARE\Microsoft\Ole\
The worm spreads through network shares protected by weak passwords, MS-SQL
servers and through various operating system vulnerabilities.
W32/Sdbot-XH connects to a predetermined IRC channel and awaits further
commands from remote users. The backdoor component of W32/Sdbot-XH can be
instructed to perform the following functions:
scan networks for vulnerabilities
download/execute arbitrary files
start an ftp server
Patches for the vulnerabilities exploited by W32/Sdbot-XH can be obtained from
Microsoft at:
http://www.microsoft.com/technet/security/bulletin/MS02-039.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx
W32/Sdbot-XH also drops a file to the current folder as msdirectx.sys. The
dropped file is detected by Sophos's anti-virus products as Troj/NtRootK-F.
The worm changes the Windows HOSTS file in attempt to prevent access to sites
from the following list:
avp.com
ca.com
customer.symantec.com
dispatch.mcafee.com
download.mcafee.com
f-secure.com
kaspersky.com
kaspersky-labs.com
liveupdate.symantec.com
liveupdate.symantecliveupdate.com
mast.mcafee.com
mcafee.com
my-etrust.com
nai.com
networkassociates.com
rads.mcafee.com
secure.nai.com
securityresponse.symantec.com
sophos.com
symantec.com
trendmicro.com
update.symantec.com
updates.symantec.com
us.mcafee.com
viruslist.com
www.avp.com
www.ca.com
www.f-secure.com
www.grisoft.com
www.kaspersky.com
www.mcafee.com
www.my-etrust.com
www.nai.com
www.networkassociates.com
www.sophos.com
www.symantec.com
www.trendmicro.com
www.viruslist.com
W32/Sdbot-XH terminates a number of processes including those related to
various AV and security applications as well as system tools and other Worms
and Trojans.
This IDE file also includes detection for:
W32/Forbot-EV
http://www.sophos.com/virusinfo/analyses/w32forbotev.html
Troj/Proxyser-H
http://www.sophos.com/virusinfo/analyses/trojproxyserh.html
Troj/Dropper-AJ
http://www.sophos.com/virusinfo/analyses/trojdropperaj.html
Troj/Dloader-MI
http://www.sophos.com/virusinfo/analyses/trojdloadermi.html
Troj/Proxyser-I
http://www.sophos.com/virusinfo/analyses/trojproxyseri.html
Troj/Bifrose-AJ
http://www.sophos.com/virusinfo/analyses/trojbifroseaj.html
Troj/Prorat-L
http://www.sophos.com/virusinfo/analyses/trojproratl.html
W32/Rbot-AAW
http://www.sophos.com/virusinfo/analyses/w32rbotaaw.html
Troj/LdPinch-AW
http://www.sophos.com/virusinfo/analyses/trojldpinchaw.html
Download the IDE file from:
http://www.sophos.com/downloads/ide/sdbot-xh.ide
Download all the IDE files available for the current version of
Sophos Anti-Virus in a single compressed file. The file is
available in two formats:
Zip file:
http://www.sophos.com/downloads/ide/ides.zip
Self-extracting file:
http://www.sophos.com/downloads/ide/ides.exe
Read about how to use IDE files at
http://www.sophos.com/downloads/ide/using.html
*********** MIKE"S REPLY SEPARATOR ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance and OWTA Charter Member
Other related posts:
