TrendLabs Malware Blog
Glossary
TrendWatch
TrendLabs Twitter
WORM_SDBOT.CWB
Overview
Solution

Malware type: Worm

Aliases: Backdoor.Win32.SdBot.akc (Kaspersky), W32/Sdbot.worm.gen.by (McAfee), W32.HLLW.Gaobot (Symantec), Worm/SdBot.56974 (Avira), Troj/Rootkit-W (Sophos), Backdoor:Win32/Rbot (Microsoft)

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 98, ME, NT, 2000, XP, Server 2003

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

 High

Distribution potential:

 High

Infection Channel 1 : Propagates via network shares

Infection Channel 2 : Propagates via software vulnerabilities

Description: 

This worm spreads by dropping copies of itself in available network shares. It also takes advantage of the Windows vulnerability whose description is found in the following Microsoft Web page:

It also drops a file detected by Trend Micro as TROJ_ROOTKIT.E in the Windows system folder.

It generates IP addresses and spreads by attempting to drop a copy of itself in target addresses' default shares. If the said shares are password-protected, it uses a hardcoded list of user names and passwords as its login credentials to gain access.

Using a random port, it connects to an Internet Relay Chat (IRC) server and joins a specific channel, where it listens for commands from a remote malicious user. The said commands are executed locally on affected machines.

Moreover, this worm performs denial of service (DoS) attacks against target sites using different flood methods.

For additional information about this threat, see:
Solution
Technical Details

Description created: Dec. 20, 2005 8:18:41 PM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.