Malware type: Worm

Aliases: Backdoor.Win32.SdBot.arz (Kaspersky), W32/Sdbot.worm.gen.bh (McAfee), W32.Spybot.Worm (Symantec), Worm/SdBot.173568.6 (Avira), W32/Sdbot-BVQ (Sophos),

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 95, 98, ME, NT, 2000, XP

Encrypted: No

Description: 

This memory-resident worm propagates via Internet Relay Chat (IRC) and network shares.

It connects to a specific Internet Relay Chat (IRC) server and listens to several malicious commands, which it processes on a system. It also steals CD keys of certain game applications.

To spread via network shares, it scans the network for weak passwords and attempts to drop a copy of itself in specific shared folders. It also uses a long list of passwords to force its way into the system.

It also scans certain ports to detect if BKDR_OPTIXPRO, BKDR_NETDEVIL, WORM_MYDOOM, and KUANG variants are active on the machine.

This UPX-compressed malware is written using Microsoft Visual C++, a high-level programming language, and runs on Windows 95, 98, ME, NT, 2000, and XP.

For additional information about this threat, see:
Solution
Technical Details

Description created: May. 17, 2004 4:12:56 PM GMT -0800
Description updated: May. 17, 2004 4:12:53 PM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.