Alias/es

Detection Availability

Visible Symptoms

• Creation of the file "wnetmgr.exe" and "cool.exe" on a compromised system
  
  
• An infected system will have connection attempts with an IRC server using TCP port 6667
  
  
  

Detailed Analysis

Specifics
The SDBot family of viruses have similar technical similarities, such as the ability to copy themselves to systems across a network, communicate with hard-coded IRC servers and receive command instructions. Some variants carry a service/application termination payload and most if not all load at Windows startup via a registry key entry.

This variant may exist as these file names on a compromised system -

cool.exe
cool2.exe
syslog32.exe
wnetmgr.exe

This variant contains code to function as an FTP server - this functionality allows the virus to be retrieved from a targeted system by way of FTP file transfer. The virus will bind with TCP port 10051.

This variant, as with others, attempts to locate available systems across a network LAN/WAN. For all systems found, the virus uses a dictionary attack to log on to the system. If access is available, the virus will copy itself to that system. In addition, it may create an FTP script then attempt to connect with an ftp server named

maniacu2.homeftp.net

After connecting using hard-coded login name and password, the virus attemtps to download a file "cool2.exe" and then run it. In this way, the virus can potentially update itself, or run any arbitrary program, once it has installed itself to a host.

Recommended Action

• Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
  
  
• Using the FortiGate manager, create a service named "SDBot" as TCP port 10051, then deny access to this service for Internal => External and External => Internal
  
  
• Using the FortiGate manager, add this server name to the list of URLs to block -
  
  maniacu2.homeftp.net