Type Spyware Worm
W32/Sdbot-AAQ is a worm and IRC backdoor Trojan for the Windows platform.
W32/Sdbot-AAQ spreads to other network computers by:
- copying itself to network shares protected by weak passwords
- sending itself over AOL Instant Messenger
- exploiting common buffer overflow vulnerabilites, including:
WKS (MS03-049) (CAN-2003-0812) and
MSSQL (MS02-039) (CAN-2002-0649)
W32/Sdbot-AAQ runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
W32/Sdbot-AAQ includes functionality to:
- access the internet and communicate with a remote server via HTTP
- carry out DDoS flooder attacks
- provide a proxy server
- stealth its services by using any existing process with the name "mIRC" or "mIRC32"
- silently download, install and run new software, including updates of its software
When first run W32/Sdbot-AAQ creates the file <System>\rdriv.sys.
The file rdriv.sys is detected as Troj/Rootkit-W. W32/Sdbot-AAQ then uses the dropped file rdriv.sys to stealth itself.
The following patches for the operating system vulnerabilities exploited by W32/Sdbot-AAQ can be obtained from the Microsoft website: