| Description | Visible Symptoms
- Creation of the file "wnetmgr.exe" and
"cool.exe" on a compromised system
- An infected system will have connection attempts
with an IRC server using TCP port 6667
Detailed Analysis
Specifics
The SDBot family of viruses have similar technical similarities,
such as the ability to copy themselves to systems across
a network, communicate with hard-coded IRC servers and
receive command instructions. Some variants carry a
service/application termination payload and most if
not all load at Windows startup via a registry key entry.
This variant may exist as these file names on a compromised
system -
cool.exe
cool2.exe
syslog32.exe
wnetmgr.exe
This variant contains code to function as an FTP server
- this functionality allows the virus to be retrieved
from a targeted system by way of FTP file transfer.
The virus will bind with TCP port 10051.
This variant, as with others, attempts to locate available
systems across a network LAN/WAN. For all systems found,
the virus uses a dictionary attack to log on to the
system. If access is available, the virus will copy
itself to that system. In addition, it may create an
FTP script then attempt to connect with an ftp server
named
maniacu2.homeftp.net
After connecting using hard-coded login name and password,
the virus attemtps to download a file "cool2.exe"
and then run it. In this way, the virus can potentially
update itself, or run any arbitrary program, once it
has installed itself to a host.
|