W32/SDBot.fam!worm.irc - Released Jul 30, 2003 - Last Updated Mar 08, 2005
|
Alias/esBackDoor.IRC.Sdbot.based, Backdoor.SdBot.gen, IRC-Sdbot, W32/SDBot.Fam, W32/SDBot.fam!worm.irc, W32/SDBot.Fam-dl, W32/SDBot.fam-dll, W32/SDBot.fam-net, W32/SDBot.fam-tr |
Detection Availability
|
Visible Symptoms
- Infected computers may connect to an Internet IP
address using TCP port 6667
- Virus is typically installed unknown to the user
either by a Trojan or by a network aware virus
- Possible firewall alert that the file identified
is attempting to access the Internet and possibly
act as a server
|
Detailed Analysis
- The virus is 32bit and is commonly compressed with
varying file sizes
- Detection covers several variants of the SDBot family
- When virus is run, it may launch Internet Explorer
in a hidden window and connect the infected machine
with an IRC server and act as an IRC bot
- When the infected system is connected to the Internet,
the bot may use TCP port 6667 and await instructions
from a hacker or group of hackers
- The IRC bot may supply to a specified IRC channel
the following details about the infected client -
cpu: %d MHz.
ram: %d KB total, %d KB free.
os: Windows %s (%d.%d, build %d).
uptime: %dd %dh %dm%s [%s]
connection type: %s (%s).
local IP address: %d.%d.%d.%d.
connected from: %s
- The IRC bot has the functionality to ping, download,
clone and send itself, among other instructions supported
- The virus may copy itself to the Windows\System
folder as an executable and modify the registry to
load at Windows startup -
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run\
(key value) = (path and filename of virus)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\RunServices\
(key value) = (path and filename of virus)
|
Recommended ActionCheck the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option |
