Yet another IM worm: WORM_SDBOT.CWG


This worm may propagate through the following techniques:



  • AOL Instant Messenger (needs a remote-user-intervention)
  • Internet Relay Chat
  • Microsoft Vulnerabilities (MS04-007& MS05-039)
This malware uses anti-debugging technique. It uses the IsDebuggerPresent API and also it detects VMWare. The IsDebuggerPresent API checks if the malware is being debugged. For the VMWare, it checks the registry entry if the VMWare tools is installed.

Most of its strings are encrypted using its own encryption table. One noticeable string on its body, upon decryption, is “[Reptile – 0.33]”.

So if you are not sure if the link being sent to you on Instant Messenger(et. al., AOL, Yahoo, MSN), DO NOT click the link.

For complete technical analysis and removal instructions, please see the links below:
WORM_SDBOT.CWG Technical Details
WORM_SDBOT.CWG Removal Instructions

No related posts.