[virusinfo] W32/Sdbot-XV

• From: "Mike" <mikebike@xxxxxxxxx>
• To: virusinfo@xxxxxxxxxxxxx
• Date: Sat, 30 Apr 2005 16:34:10 -0700

From; Sophos Alert System:

Name: W32/Sdbot-XV
Type: Win32 worm
Date: 30 April 2005

A virus identity (IDE) file which provides protection is
available now from the Sophos website, and will be incorporated
into the June 2005 (3.94) release of Sophos Anti-Virus.

Customers using EM Library, PureMessage or any of our Sophos
small business solutions will be automatically protected at
their next scheduled update.

At the time of writing, Sophos has received a small number of
reports of this worm from the wild.


Information about W32/Sdbot-XV can be found at:
http://www.sophos.com/virusinfo/analyses/w32sdbotxv.html

W32/Sdbot-XV is a network worm with backdoor Trojan functionality for the 
Windows platform. 
When first run, W32/Sdbot-XV copies itself to the Windows system folder as 
mskev.exe and creates the following registry entries in order to run each time 
a user logs on: 
HKLM\System\CurrentControlSet\Control\Lsa
Windows kev Messenger
mskev.exe 
HKLM\Software\Microsoft\Ole
Windows kev Messenger
mskev.exe 
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Windows kev Messenger
mskev.exe 
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
Windows kev Messenger
mskev.exe 
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Windows kev Messenger
mskev.exe 
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Windows kev Messenger
mskev.exe 
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
Windows kev Messenger
mskev.exe 
The worm spreads through network shares protected by weak passwords and through 
various operating system vulnerabilities. 
W32/Sdbot-XV connects to a predetermined IRC channel and awaits further 
commands from remote users. The backdoor component of W32/Sdbot-XV can be 
instructed to perform the following functions: 
scan networks for vulnerabilities
download/execute arbitrary files 
Patches for the vulnerabilities exploited by W32/Sdbot-XV can be obtained from 
Microsoft at: 
MS02-039
MS04-011
MS04-012 

This IDE file also includes detection for:

Troj/Maloader-A
http://www.sophos.com/virusinfo/analyses/trojmaloadera.html
Troj/Psyme-BU
http://www.sophos.com/virusinfo/analyses/trojpsymebu.html
W32/Rbot-ABN
http://www.sophos.com/virusinfo/analyses/w32rbotabn.html
Troj/Murlo-X
http://www.sophos.com/virusinfo/analyses/trojmurlox.html
Troj/Spygal-D
http://www.sophos.com/virusinfo/analyses/trojspygald.html

Download the IDE file from:
http://www.sophos.com/downloads/ide/sdbot-xv.ide

Download all the IDE files available for the current version of 
Sophos Anti-Virus in a single compressed file. The file is
available in two formats:

Zip file:
http://www.sophos.com/downloads/ide/ides.zip

Self-extracting file:
http://www.sophos.com/downloads/ide/ides.exe

Read about how to use IDE files at
http://www.sophos.com/downloads/ide/using.html

*********** MIKE"S REPLY SEPARATOR  ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages  http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance  and OWTA Charter Member 

Other related posts:

• » [virusinfo] W32/Sdbot-XV

1. Home
2. virusinfo
3. Archive
4. 04-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---