Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:Worm/SdBot.446976
Date discovered:09/09/2008
Type:Worm
In the wild:Yes
Reported Infections:Medium
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:446.976 Bytes
MD5 checksum:41fbbb8b69ea05b58e3d4f6e316efef1
IVDF version:7.00.06.131 - Tuesday, September 9, 2008

 General Aliases:
   •  Mcafee: W32/Sdbot.worm.gen.ci virus
   •  Panda: W32/Sdbot.MAW.worm
   •  Eset: Win32/AutoRun.Agent.GW
   •  Bitdefender: Backdoor.Bot.51574


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops malicious files
   • Registry modification

 Files It copies itself to the following location:
   • %WINDIR%\iTuneshelp.exe



It deletes the initially executed copy of itself.

 Registry One of the following values is added in order to run the process after reboot:

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "MSN"="%WINDIR%\iTuneshelp.exe"

 Messenger It is spreading via Messenger. The characteristics are described below:

– MSN Messenger


To:
All entries in the contact list.

The URL then refers to a copy of the described malware. If the user downloads and executes this file the infection process will start again.

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • Themida

Description inserted by Petre Galan on Friday, November 13, 2009
Description updated by Petre Galan on Friday, November 13, 2009

Back . . . .