---Update December 14,2012---
- Kaspersky - Packed.Win32.Krap.at
- Fortinet - W32/AutoRun_IRCBot.AO
- Microsoft - Trojan:Win32/Ransom.C
- Symantec - Trojan.Gen
“W32/Sdbot.worm.gen ” is a worm that spreads by copying itself to removable drives.
Upon execution, the Worm tires to connects to the below IP address through a remote port 3071
Upon execution the Worm copies itself into the following location:
- [Removable Drive]:\autorun.inf
- [Removable Drive]:\winlog.exe
This Worm also attempts to create an autorun.inf file on the root of any accessible disk volumes:
The file "AutoRun.inf" is pointing to the malware binary executable. When the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.
The autorun.inf is configured to launch the worm file via the following command syntax.
- action=Open folder to view files
The following registry key values have been added to the system:
- HKEY_USERS\S-1-5[Varies]\Software\Microsoft\Windows\CurrentVersion\Run\winlog.exe: "%AppData%\Microsoft\winlog.exe"
The above mentioned registry key value confirms that the worm registers with the compromised system and executes itself upon every boot.
The worm creates Mutex in the following name:
-- Update March 24, 2009 --
A new variant was seen today (detected as W32/Sdbot.worm.gen.t). This variant drops the following file in the c:\windows\system folder
It creates services that point to this file. The following are the registry keys.
The worm attempts to spread by scanning the subnet over port 445 looking for vulnerable hosts.
Network connections to the following domain was observed:
-- Update February 2, 2005 --
These SDBot names vary considerably, but regularly try to look similar to other legitimate Windows executable names, so that a user viewing the Task Manager might assume that the names listed are valid.
Some example filenames (but not all) seen by AVERT include:
-- Update August 11, 2004 --
There are now over 4000 variants of this threat, many of which were proactively detected, and this number continues to grow at a rapid rate.
AVERT is constantly enhancing generic detection for this family. To ensure you have appropriate protection please do use the latest DATs, latest engine and do not disable scanning of packed executable files.
-- Update April 6, 2004 --
There are now over 700 variants of this trojan-turned worm. Multiple new variants are discovered each week. They vary in file size and name.
This detection is for worms that are based on the IRC-Sdbot trojan code. The source code for the IRC-Sdbot trojan was published on the Internet some time ago, and a number of worms are based on the same code. The following detections exist for such worms:
Due to their origins, such worms are often proactively detected as IRC-Sdbot with the 4258+ DAT files. Users are recommended to ensure the scanning of compressed files is enabled to maximise proactive detection.
These worms typically spread via network shares and create a remote access point for attackers to exploit.
Some variants can take advantage of the following vulnerabilites:
DCOM RPC vulnerability (MS03-026)
WEBDAV vulnerability (MS03-007)
LSASS vulnerability (MS04-011)
ASN.1 vulnerability (MS04-007)
Workstation Service vulnerability (MS03-049)
PNP vulnerability (MS05-039)
Imail IMAPD LOGIN username vulnerability
Cisco IOS HTTP Authorization Vulnerability
There are some variants which use a combination of the above vulnerabilites during their attack on the system.
The description below is specific to one such worm, but the characterisitics are typical for many other variants. (Exact filename and Registry key names may change of course.)
When run, it copies itself to the WINDOWS SYSTEM (%SysDir% ) directory and creates two registry run keys to load the worm at system startup:
CurrentVersion\Run "Services Host" = scchost.exe
CurrentVersion\RunServices "Services Host" = scchost.exe
The worm's file share propagation relies on target systems being accessible for one of two reasons:
- Poor security on target systems
- The credentials of the user logged on to an infected system are sufficient to access other systems on the network
The worm scans random IP subnets for machines present on the network. Once a system is found, the worm tries to connect to the 'C$' and/or 'C' shares on that machine. The following accounts are used for the connection (with no passwords):
NOTE: The virus assumes the privileges of the currently authenticated user. If a blank password is insufficient on the target system, the current credentials could be sufficient to gain access on a remote system.
Some variants also try additional administrative shares such as D$, E$, IPC$, Print$ and Admin$, and contain within them a list of common usernames/passwords to use to gain access to password-protected shares.
If successful, the worm will copy itself onto that share in one of the following locations (i.e. the Windows Startup folder):
- C:\WINNT\Profiles\All Users\Start Menu\Programs\Startup
- C:\WINDOWS\Start Menu\Programs\Startup
- C:\Documents and Settings\All Users\Start Menu\Programs\Startup
- \WINNT\Profiles\All Users\Start Menu\Programs\Startup
- \WINDOWS\Start Menu\Programs\Startup
- \Documents and Settings\All Users\Start Menu\Programs\Startup
Finally, the worm attempts to execute the copied file by calling the NetScheduleJobAdd function.
Remote Access Trojan
The worm connects to an IRC channel and server and waits for instructions. A remote attacker can use the trojan to perform various tasks:
- Gather system information (CPU, Driver Space, RAM, OS Version, User name, Computer name, IP Address)
- Run IRC commands (Join channels, send messages)
- SYN Flood others
- Kill processes
- Download files
- Execute files