By LoneStar in Worms

Sdbot-XK, also referred to as Win32/Sdbot-XK, is a network worm that provides backdoor access to an infected computer by which unapproved downloads and installations may occur. Sdbot-XK usually spreads by exploiting the weaknesses in LSASS, RPC DCOM, WorkStation service, Microsoft SQL 2000, and Microsoft SQL servers with weak passwords. Once active, Sdbot-XK may then move itself to the Windows system folder under the designation b.exe. Sdbot-XK then alters specific registry values in order to begin operating as soon as Windows starts up, in addition to disabling Windows Internet Connection Firewall, Automatic Updates and Security Center.

File System Details

Sdbot-XK may create the following file(s):
# File Name Detections

Registry Details

Sdbot-XK may create the following registry entry or registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run b.exe b.exe
HKCU\SYSTEM\CurrentControlSet\Control\Lsa b.exe b.exe
HKLM\SYSTEM\CurrentControlSet\Control\Lsa restrictanonymous 1
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices b.exe b.exe
HKLM\SOFTWARE\Microsoft\Ole EnableDCOM N
HKCU\Software\Microsoft\Windows\CurrentVersion\Run b.exe b.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices b.exe b.exe
HKCU\Software\Microsoft\OLE b.exe b.exe


Most Viewed