Follow:

 

Win32/Sdbot


Microsoft security software detects and removes this family of threats.
 
This family of backdoor trojans can give a malicious hacker access and control of your PC. They connect to an internet relay chat (IRC) server to receive commands from the hacker. 
 
They can then spread to other PCs, launch denial of service (DoS) attacks, and collect information about your PC.


What to do now

The following free Microsoft software detects and removes this threat:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

When Win32/Sdbot runs, it copies itself to %windir% or <system folder>. In many cases, it adds a value to one or more registry keys. These changes cause the Trojan to run whenever Windows starts. Some variants also add a Windows system service to attain similar results.
 
Win32/Sdbot connects to an internet relay chat (IRC) server and joins a channel to receive commands, which can include actions such as:
  • Scanning for unpatched computers on the network.
  • Scanning ports on the network.
  • Downloading and running remote files.
  • Monitoring network traffic.
  • Launching HTTP/HTTPD, SOCKS4, and TFTP/FTP servers.
  • Enabling or disabling DCOM protocol.
  • Retrieving computer configuration information, including Windows logon information, user account information, open shares, file system information, and network connection information.
  • Logging keystrokes.
  • Retrieving CD keys of games.
  • Capturing screens and Webcam shots.
  • Redirecting TCP traffic.
  • Uploading files through FTP.
  • Sending e-mail.
  • Manipulating processes and services.
  • Conducting denial of service (DoS) attacks.
 
Upon receiving IRC commands, the trojan can spread to remote computers by exploiting one or more Windows vulnerabilities. Win32/Sdbot can spread to remote computers by trying weak passwords that it draws from a fixed list. The trojan may exploit the MS03-026 vulnerability to create a remote shell on a PC. The trojan uses the remote shell to copy and run itself on a remote computer. The trojan can also be instructed through IRC commands to spread through backdoor ports opened by Mydoom, Bagle, Optix, Netdevil, and other malicious software families.
 
Some variants of the trojan terminate security-related products. Later variants of the Trojan can install a kernel-mode rootkit driver, which hides the Trojan process from Task Manager and other process-viewer applications.

Symptoms

Your computer may be infected with a Win32/Sdbot variant if you experience any of the following symptoms:
  • The operating system shuts down after displaying a dialog box that resembles the following:
  • Your computer displays an LSA Shell error report dialog box that resembles the following:
  • Your computer restarts without user interaction. In this case, you may see a system shutdown dialog box that resembles the following:

Prevention


Alert level: High
This entry was first published on: Apr 20, 2005
This entry was updated on: May 13, 2014

This threat is also detected as:
  • Backdoor.Sdbot (Symantec)
  • W32/Sdbot.worm (McAfee)
  • WORM_SDBOT (Trend Micro)
  • Win32/SDBot (CA)
  • SdBot (F-secure)