Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

W32/SdBot-HH

Feb 18, 2004 11:48PM PST

Aliases
Backdoor.IRCBot.gen, IRC/SdBot.OB

Type
Win32 worm

Description
W32/SdBot-HH is an internet worm and an IRC backdoor Trojan.
W32/SdBot-HH copies itself into the Windows system folder as Wincom.EXE and creates the following registry entries to point to it:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\

W32/SdBot-HH attempts to run as a service process.

W32/SdBot-HH scans networks for shares protected by weak passwords and attempts to copy itself over to those shares. The worm also logs onto a predefined IRC server and waits for backdoor commands.

http://www.sophos.com/virusinfo/analyses/w32sdbothh.html

Discussion is locked