Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

W32/SdBot-AD

Feb 9, 2004 1:35AM PST

Aliases
Backdoor.IRCBot.gen, W32/Sdbot.worm.gen

Type
Win32 worm

Description
W32/SdBot-AD is a worm with backdoor functionalities which allows unauthorised access and control of the computer from IRC channels.
Upon execution, W32/SdBot-AD drops two copies of itself to the Windows System folder as cmst32.exe and spoolserv.exe. The worm also drops the following files to the same folder:


pctime32.bat, detected as W32/SdBot-AD

runtime.bat, detected as W32/SdBot-AD

svhost32.exe, PSEXEC, a legitimate networking utility

smshost.exe - Troj/Saye-A which is infected by W32/Parite-B


In order to run automatically when Windows starts up the worm adds the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft DirectX
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Microsoft DirectX
The worm attempts to copy itself to the Windows system folder on weakly protected network shares and executes the dropped worm copy.

http://www.sophos.com/virusinfo/analyses/w32sdbotad.html

Discussion is locked