This application requires Javascript for optimal performance.

W32/SDBot.R!worm - Released Nov 12, 2003 - Last Updated Mar 13, 2007

Alias/es

IRC/SdBot.DD, W32/SDBot-H, W32/SdBot.R, W32/SDBot.R!worm, Win32.Moega.K, WORM_SDBOT.R

Detection Availability

Active DatabaseExtended Database
FortiGate
low
high
FortiClient
FortiMail N/A

Visible Symptoms

  • Possible firewall alert that a file named "wupdated.exe" referenced as "Generic Host Process for Win32" is attempting to access the Internet using NetBIOS, or that the same file is trying to act as a server

  • Creation of the file "wupdated.exe" on the infected host -

    c:\wupdated.exe
    c:\WINNT\system32\wupdated.exe

Detailed Analysis

  • Virus is 32bit with a file size of 74,784 bytes

  • This virus is introduced to the target system from an infected computer via a TCP connection across a network or the Internet typically via TCP port 139

  • If this virus is run, it will copy itself to the local system in two places -

    c:\wupdated.exe
    c:\WINNT\system32\wupdated.exe

  • Next the virus will modify the registry to auto run at next Windows startup -

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
    "Configuration Loaded" = wupdated.exe

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\
    "Configuration Loaded" = wupdated.exe

  • The virus will run a DNS query to identify an IP address for the IRC server "irc.undernet.org"

  • Once an IP address is retrieved, the virus will attempt to connect using TCP port 6667 and using a random NICK and USER will send a PING instruction to the server

  • The format of the PING instruction could return an error from the IRC server such as "Your client may not be compatible with this server" and "Ping timeout"

  • The virus will wait for instructions and commands from a hacker or group of hackers while joined to the IRC server

  • Some commands could include instructing the virus to update from a URL, send a PING or SYN flood to a specified IP address or visiting websites

  • The virus has the capability to scan for available systems using NetBIOS on TCP port 139

  • If a system is identified to exist, the virus will attempt to connect to that system using a dictionary of logon account names and password combinations

  • If the virus is successful in logging onto the target system, it will try to copy itself to that system and remotely execute the copied virus

  • Virus contains the string "sdbot 0.5b with SYN flood by [sd]" in its code

Recommended Action

  • Block traffic using TCP port 139 for Internal to External (INT->EXT) and External to Internal (EXT->INT)

  • If IRC is not used or supported in your organization, block access to the URL "irc.undernet.org"

Reference: ID - 1506