W32/SDBot.AX!worm - Released Apr 03, 2006 - Last Updated Jun 06, 2007
|
Alias/esW32/SDBot.AX!wm, W32/SDBot.AX-net, W32/SDBot.AX-wm, Backdoor.Win32.SdBot.bdh, W32/Sdbot.worm.gen.ax, W32/Tilebot-II, WORM_SDBOT.BQT, W32/Sdbot.VVP, Trojan.Tilebot.II, Win32/Rbot, Trj/Agent.DRB, IRC/BackDoor.SdBot2.QCM, Backdoor.SdBot.bqt, TR/Tilebot.II, Ba |
Detection Availability
|
Visible Symptoms
- The file msnmsgr.exe exists in the Windows folder.
- A file having the format trash[Random Hexadecimal Number] exists in the System folder.
- Possible termination of the firewall or other security applications, including antivirus monitors.
|
Detailed Analysis
- Copies itself to the Windows folder as msnmsgr.exe.
- Deletes the original file after execution.
Registry Modification
- Adds the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions
v7b5x2s1i4h3 = "[Current Date and Time]"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_MESSENGER
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows Messenger
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SFCScan = dword:00000000
Network Propagation
- Attempts to connect to shared folders in the network by using the following passwords:
- administrador
- administrat
- administrateur
- administrator
- admins
- computer
- database
- default
- guest
- oracle
- owner
- staff
- student
- teacher
- wwwadmin
If successful, it copies itself to the following folders:
- d$\windows\system32c$\
- d$\winnt\system32
- c$\windows\system32
- c$\winnt\system32
- Admin$\system32
- Admin$
- ipc$
- Contains the following list of strings that suggest that it scans the network for different exploits using various ports:
- mssql
- MSSQL
- mssql
- netapi
- netapi
- netapi139
- netapi139
- netapi445
- netbios
- NetBios
- netbios
- netbios
- ntpass
- NTPass
- ntpass
- rpc135
- RPC135
- rpc135
Other Behavior
- Opens a port and sets itself up as an FTP server.
- Sends information such as the following to a remote user:
- CPU type
- Total RAM
- Available RAM
- OS version
- System folder
- Computer name
- Current user
- Date
- Time
- Free disk space
- If the user is running the mIRC chat program, this worm sends mIRC information such as the following to a remote user:
- Current nick being used
- Channel that the user is on
- Port that is being used
- IP of the server that the user is connected to
- Disables the System File Protection feature by patching the file sfc_os.dll in the System folder. This feature is responsible for ensuring that critical system files are not replaced by older versions or versions not approved by Microsoft.
- Attempts to terminate the following processes, some of which may be security related:
- Bagle.a
- Bagle.j
- Bagle.k
- Bagle.v
- Bagle.X
- bbeagle.exe
- d3dupdate.exe
- i11r54n4.exe
- irun4.exe
- Microsoft Inet Xp..
- MSBLAST.exe
- mscvb32.exe
- Mydoom.h
- Netsky.r
- PandaAVEngine
- PandaAVEngine.exe
- Penis32.exe
- rate.exe
- Sobig.c
- ssate.exe
- sysinfo.exe
- System MScvb
- TaskMon
- taskmon.exe
- teekids.exe
- W32.Blaster
- W32.Blaster.B
- W32.Blaster.C
- winsys.exe
|
Recommended ActionFortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the 'Allow Push Update' option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
|
