Virus Profile: W32/Sdbot.worm

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 4/10/2003
Date Added: 6/30/2003
Origin: N/A
Length: Varies
Type: Virus
Subtype: Internet Worm
DAT Required: 4258
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

The worm disables default admin shares (such as C$, D$, and Admin$) on WinNT/2K/XP systems by setting two registry key values:
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
    lanmanserver\parameters "AutoShareServer" = DWORD:0
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
    lanmanserver\parameters "AutoShareWks" = DWORD:0
A registry key is set to disable the enumeration of shares during a null sesssion:
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\
    Lsa "restrictanonymous" = DWORD:1
An indication of infection is outbound IP traffic to the server IRC.DOTBLUE.ORG on TCP port 6667

Methods of Infection

The exact method of propagation will vary between variants. However, the following characteristics are typical:

Share Propagation

The worm propagates via accessible or poorly-secured network shares, and some variants are intended to take advantage of high profile exploits:

When it attempts to spread through default administrative shares, for example:

  • PRINT$
  • E$
  • D$
  • C$
  • ADMIN$
  • IPC$

Some variants also carry a list of poor username/password combinations to gain access to these shares.

Weak Passwords and Configurations

Several variants are known to probe MS SQL servers for weak administrator passwords and configurations. When successful, the virus could execute remote system commands via the SQL server access.

Aliases

W32.HLLW.Donk (Symantec), W32/Sdbot.worm.gen, W32/Sdbot.worm.gen.b
   

Virus Characteristics

---Update December 14,2012---


Aliases

  • Kaspersky    -    Packed.Win32.Krap.at
  • Fortinet    -    W32/AutoRun_IRCBot.AO
  • Microsoft    -    Trojan:Win32/Ransom.C
  • Symantec    -    Trojan.Gen

 

Characteristics 

“W32/Sdbot.worm.gen  ” is a worm that spreads by copying itself to removable drives.


Upon execution, the Worm tires to connects to the below IP address through a remote port 3071


  • p03.n[Removed].info
  • 173.255.[Removed].235
  • li227-235.m[Removed]ers.linode.com
  • 92.242.[Removed].50

Upon execution the Worm copies itself into the following location:

  • %AppData%\Microsoft\winlog.exe
  • [Removable Drive]:\autorun.inf
  • [Removable Drive]:\winlog.exe

This Worm also attempts to create an autorun.inf file on the root of any accessible disk volumes:

The file "AutoRun.inf" is pointing to the malware binary executable. When the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.

The autorun.inf is configured to launch the worm file via the following command syntax.

  • [autorun]
  • open=winlog.exe
  • icon=%SystemRoot%\system32\SHELL32.dll,4
  • action=Open folder to view files
  • shell\open=Open
  • shell\open\command=winlog.exe
  • shell\open\default=1


The following registry key values have been added to the system:

  • HKEY_USERS\S-1-5[Varies]\Software\Microsoft\Windows\CurrentVersion\Run\winlog.exe: "%AppData%\Microsoft\winlog.exe"

The above mentioned registry key value confirms that the worm registers with the compromised system and executes itself upon every boot.
The worm creates Mutex in the following name:

  • G_v&$<SkBx4H`

-- Update March 24, 2009 --

A new variant was seen today (detected as W32/Sdbot.worm.gen.t). This variant drops the following file in the c:\windows\system folder

  • msddll.exe

It creates services that point to this file. The following are the registry keys.

  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msddll
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msddll

The worm attempts to spread by scanning the subnet over port 445 looking for vulnerable hosts.

Network connections to the following domain was observed:

  • ak3jad.com

-- Update February 2, 2005 --
These SDBot names vary considerably, but regularly try to look similar to other legitimate Windows executable names, so that a user viewing the Task Manager might assume that the names listed are valid.

Some example filenames (but not all) seen by AVERT include:

amdpatchB.exe
cmst32.exe
hcgnwlmqge.exe

hjkds.exe
hlcbome.exe
iexplore.exe

jxsrwb.exe

kveuto.exe
ms.exe
msgfix.exe
msgfix1.exe
msmon32.exe
msmon32b.exe
msnmssgs.exe
mstasks.exe
nav32.exe

ns32.exe
rssdd.exe
spool.exe
spoolserv.exe
spoolsvc.exe
svchosst.exe
svcnet.exe
svhosint32.exe
syntwin32.exe

system.exe
system03.exe
Systmesy.exe
taskmngr.exe
unreal.exe
wc.exe
WindowsSys32.exe
WINL0G0N.exe
winudap.exe
winumc.exe
winupdate32.exe
wsndlg32.exe
wuamagrd.exe
wuamgrd.exe
wuamgrd2.exe
wuamgrdk.exe
wvsvc.exe

-- Update August 11, 2004 --
There are now over 4000 variants of this threat, many of which were proactively detected, and this number continues to grow at a rapid rate. 

AVERT is constantly enhancing generic detection for this family. To ensure you have appropriate protection please do use the latest DATs, latest engine and do not disable scanning of packed executable files.

-- Update April 6, 2004 --
There are now over 700 variants of this trojan-turned worm.  Multiple new variants are discovered each week.  They vary in file size and name.

This detection is for worms that are based on the IRC-Sdbot trojan code. The source code for the IRC-Sdbot trojan was published on the Internet some time ago, and a number of worms are based on the same code. The following detections exist for such worms:

  • W32/Sdbot.worm
  • W32/Sdbot.worm.gen
  • W32/Sdbot.worm.gen.b

Due to their origins, such worms are often proactively detected as IRC-Sdbot with the 4258+ DAT files. Users are recommended to ensure the scanning of compressed files is enabled to maximise proactive detection.

These worms typically spread via network shares and create a remote access point for attackers to exploit.

Some variants can take advantage of the following vulnerabilites:

  • DCOM RPC vulnerability (MS03-026)
  • WEBDAV vulnerability  (MS03-007)
  • LSASS vulnerability (MS04-011)
  • ASN.1 vulnerability (MS04-007)
  • Workstation Service vulnerability (MS03-049)
  • PNP vulnerability (MS05-039)
  • Imail IMAPD LOGIN username vulnerability
  • Cisco IOS HTTP Authorization Vulnerability

    There are some variants which use a combination of the above vulnerabilites during their attack on the system.

    The description below is specific to one such worm, but the characterisitics are typical for many other variants. (Exact filename and Registry key names may change of course.)

    When run, it copies itself to the WINDOWS SYSTEM (%SysDir% ) directory and creates two registry run keys to load the worm at system startup:

    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
      CurrentVersion\Run "Services Host" = scchost.exe
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
      CurrentVersion\RunServices "Services Host" = scchost.exe
  • Network Propagation

    The worm's file share propagation relies on target systems being accessible for one of two reasons:
    1. Poor security on target systems
    2. The credentials of the user logged on to an infected system are sufficient to access other systems on the network

    The worm scans random IP subnets for machines present on the network. Once a system is found, the worm tries to connect to the 'C$' and/or 'C' shares on that machine. The following accounts are used for the connection (with no passwords):

    • Administrator
    • Owner
    • Guest

    NOTE: The virus assumes the privileges of the currently authenticated user. If a blank password is insufficient on the target system, the current credentials could be sufficient to gain access on a remote system.

    Some variants also try additional administrative shares such as D$, E$, IPC$, Print$ and Admin$, and contain within them a list of common usernames/passwords to use to gain access to password-protected shares.

    If successful, the worm will copy itself onto that share in one of the following locations (i.e. the Windows Startup folder):

    • C:\WINNT\Profiles\All Users\Start Menu\Programs\Startup
    • C:\WINDOWS\Start Menu\Programs\Startup
    • C:\Documents and Settings\All Users\Start Menu\Programs\Startup
    • \WINNT\Profiles\All Users\Start Menu\Programs\Startup
    • \WINDOWS\Start Menu\Programs\Startup
    • \Documents and Settings\All Users\Start Menu\Programs\Startup
    Finally, the worm attempts to execute the copied file by calling the NetScheduleJobAdd function.

    Remote Access Trojan

    The worm connects to an IRC channel and server and waits for instructions. A remote attacker can use the trojan to perform various tasks:
    • Gather system information (CPU, Driver Space, RAM, OS Version, User name, Computer name, IP Address)
    • Run IRC commands (Join channels, send messages)
    • SYN Flood others
    • Kill processes
    • Download files
    • Execute files

     

       

    All Users:
    Use current engine and DAT files for detection and removal.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

       

    PC Infected? Get Expert Help

    McAfee
    Virus Removal Service

    Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!

    $89.95