W32/Sdbot-DNZ is a worm that is spread by IRC Programs such as MSN Messenger. It runs in the background, providing a backdoor server which allows an intruder to gain access to control the computer via IRC channels.

When W32 is first run it copies itself to C:\\Program Files\VMwareService.exe. The file named VMwareService.exe is created as a new system driver service called "VMwareService", with the display name "VMwareService" and is set to startup automatically.

Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\VMwareService

The W32/Sdbot-DNZ worm spreads via MSN and copies itself into the recycling bin of connected drives e.g usb sticks, flash drives etc... The worm then creates an autorun.inf file in the root of that share to run itself the next time the drive is mounted.

Some particular variants of this virus are capable of infecting web files and program files, often irreparably, and if the computer in question is acting as a web server than the virus is itself capable of infecting anyone who visits  any of the sites located on the server.

The W32/Sdbot-DNZ worm is also known as:

W32/Virut.remnants
Win32/AutoRun.Delf.AG Worm
Virus.Win32.Virut.n

Write Up By: Baz {FireStorm}

Website Owners / Administrators
It is imperative that server security is a priority. You should ensure any publicly accessible systems are behind firewalls, with good quality antivirus software. Webside: querystring and form data should be checked vigorously and fully cleaned before being executed against the database or on any pages. All session objects should also be subject to the same checking methods. Simply checking 'Server Variables' is not acceptable protection, these can be spoofed. Restricting database rights is important on high use front end web applications, only allow what is absolutely essential.