Worm_Sdbot.EPZ arrives on a system as a dropped or downloaded file of other malware. It can also arrive as a file downloaded by unsuspecting users when visiting malicious Web sites.

Upon execution, it drops a randomly named copy of itself in the Windows system folder with file attributes set to Hidden, System, and Read-only.

It also disables administrative shares and certain security-related services, thereby crippling the system's defenses, rendering it vulnerable to more attacks.


It propagates across networks by dropping copies of itself in certain network shares. It uses a predefined list of user names and passwords to gain access to password- protected shares.

This worm takes advantage of the following vulnerabilities to propagate across networks:

  • Microsoft Security Bulletin MS03-026
  • Microsoft Security Bulletin MS03-039
  • Microsoft Security Bulletin MS03-049
  • Microsoft Security Bulletin MS04-011

    This worm also has backdoor capabilities. Using random ports, this worm connects to an Internet Relay Chat (IRC) server. It then joins an IRC channel, where it listens for certain commands from a remote malicious user. Some of the said commands include obtaining the Windows login name and password of the affected system, performing denial of service (DoS) attacks, and deleting network shares.

    The said routine provides the remote user virtual control over the affected system, thus compromising system security.

    Technical details can be found at this Trend Micro page.