Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

W32/SdBot-BB

Mar 16, 2004 12:11AM PST

Aliases
Backdoor.IRCBot.gen, W32/Randbot.worm

Type
Win32 worm

Description
W32/SdBot-BB is a worm which attempts to spread to ADMIN$ and C$ network shares and allows unauthorised remote access to a computer via IRC channels while running in the background as a service process.
On execution W32/SdBot-BB attempts to copy itself to the available ADMIN$ and C$ network shares with the filename GT.exe in the Windows system32 folder.

The worm copies itself to the Windows system32 folder as toker.exe and adds to the following registry entries to run itself on system restart:

HKLM\Software\Microsoft\Windows\CurrentVersion\
Run\Registration Service

HKLM\Software\Microsoft\Windows\CurrentVersion\
RunServices\Registration Service

http://www.sophos.com/virusinfo/analyses/w32sdbotbb.html

Discussion is locked