Malware type: Worm

Aliases: Backdoor.Win32.SdBot.abf (Kaspersky), W32/Sdbot.worm.gen.bj (McAfee), W32.Randex (Symantec), Worm/SdBot.38912.14 (Avira), W32/Sdbot-Fam (Sophos),

In the wild: Yes

Destructive: No

Language: English

Platform: Windows NT, 2000, XP

Encrypted: No

Description: 

This worm arrives through network shared folders. Upon execution, it drops a copy of itself in the Windows system folder. It modifies the registry to ensure its automatic execution at every Windows startup.

It spreads through network shared folders. It lists down all available network shared folders, and drops a copy of itself on these folders. It also generates target IP addresses and drops a copy of itself in a target address' default shared folders. For shared folders with restricted access, it uses a list of user names and passwords.

This worm has backdoor capabilities. It connects to an Internet Relay Chat (IRC) server and joins a specific channel. Once connected, it listens for commands coming from a remote malicious user, and it executes these commands on the affected system.

For additional information about this threat, see:
Solution
Technical Details

Description created: Jul. 25, 2005 4:10:59 AM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.