McAfee > Theat Center > Virus Detail Page

Overview

W32/Sdbot.worm!76714 is an IRC controlled backdoor, which provides an attacker with unauthorised remote access to the compromised computer. An attacker can gain control over the compromised computer and use it to launch a DDoS attack on internet systems.

There are multiple versions of the W32/Sdbot family of worms that use IRC (Internet Relay Chat) as a command and control mechanism. Such worms typically use exploits and weak password to spread to vulnerable machines on the network.

Characteristics

Upon execution, it creates a copy of itself into the Windows system directory:

• %Windir%\%SYSDIR%\svcchost.exe

Adds the following values to the registry to auto start itself when Windows starts:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Currentversion\Run
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Currentversion\Runservices

Modifies the following registry keys that result in lowering the default security settings for the machine:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole "EnableDCOM" = "N"
• HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET\CONTROL\Lsa "restrictanonymous" = "1"

Attempts to contact a server with the IP address of 66.109.25.116 at port TCP 11640

Symptoms

W32/Sdbot.worm!76714 attempts to join the following IRC server:

• IRC Server: 66.109.25.116
• Port: 11640

Method of Infection

W32/Sdbot.worm!76714 scans for vulnerable machines on the network, and uses the following Microsoft vulnerabilities to spread.

• Microsoft DCOM RPC vulnerability (MS03-026)

Once the attack on a vulnerable computer is successful, it issues a tftp command to download a copy of itself from the attacking machine.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

W32/Sdbot.worm!76714 is an IRC controlled backdoor, which provides an attacker with unauthorised remote access to the compromised computer. An attacker can gain control over the compromised computer and use it to launch a DDoS attack on internet systems.

There are multiple versions of the W32/Sdbot family of worms that use IRC (Internet Relay Chat) as a command and control mechanism. Such worms typically use exploits and weak password to spread to vulnerable machines on the network.

Characteristics

Characteristics -

Upon execution, it creates a copy of itself into the Windows system directory:

• %Windir%\%SYSDIR%\svcchost.exe

Adds the following values to the registry to auto start itself when Windows starts:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Currentversion\Run
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Currentversion\Runservices

Modifies the following registry keys that result in lowering the default security settings for the machine:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole "EnableDCOM" = "N"
• HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET\CONTROL\Lsa "restrictanonymous" = "1"

Attempts to contact a server with the IP address of 66.109.25.116 at port TCP 11640

Symptoms

Symptoms -

W32/Sdbot.worm!76714 attempts to join the following IRC server:

• IRC Server: 66.109.25.116
• Port: 11640

Method of Infection

Method of Infection -

W32/Sdbot.worm!76714 scans for vulnerable machines on the network, and uses the following Microsoft vulnerabilities to spread.

• Microsoft DCOM RPC vulnerability (MS03-026)

Once the attack on a vulnerable computer is successful, it issues a tftp command to download a copy of itself from the attacking machine.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A