Aliases: W32/Sdbot.worm.gen.b
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Inactive
Spreading: Medium
Geographical info: Asia and US
Removal: Easy
Platform: W32
Discovered: 10 May 2004
Damage: low

Characteristics: This worm can be spread though an open file sharing. The operating systems affected by it are Windows 2000, Windows 92, Windows 98, Windows ME, Windows NT, Windows Server 2003 and Windows XP.

More details about W32.Donk.Q

This worm will try to use the susceptibility of Microsoft DCOM RPC. The W32.Donk.Q worm can also open a backdoor on the infected computer making the computer very susceptible to other worms and viruses. The worm resides in the local area network and infects other computer from there. This worm damages the computer by terminating or making some of the firewall services to work as well as antivirus programs. This virus, upon distribution, will create a replica of itself as %System%wnetmgr.exe or %System%cool.exe and add certain values on a certain registry key. These files will make way for the worm to start at the same time the windows start. The target of the worm is the administrative shares by using weak password combination. It also adds a certain value to a certain registry key to enable automatic launch upon Windows startup. The DCOM RPC is use by the worm by sending data to the TCP port 135 of the IP addresses that were generated previously.

The W32.Donk.Q application can open an unused system port. This acts as a backdoor. It is used to contact a remote server. The program will then wait for commands from the server. The commands are executed in the system without the user’s consent. This can include the deletion or changing of data and system files. Installed security software may be disabled. The settings of the system may also be changed to allow greater control to the unauthorized remote user. The user’s actions may also be recorded and sent to the remote server.