W32/SDBot.RT!worm

Alias/esBackdoor.Win32.SdBot.gen [KAV], W32/Ranky.RT-dr, W32/Ranky.RT-net, W32/SDBot.RT!worm, W32/Sdbot.worm.gen [McAfee]
Release DateNov 25, 2004
Detection Availability
Active DatabaseExtended Database
FortiGatelowhigh
FortiClient
FortiMailN/A
Current Antivirus Definition Database Version: 12.323
Description

Visible Symptoms

An infected system has an open connection with the Internet on TCP ports 32433, 35255 and 37607. The compromised system will connect with an IRC server on TCP ports 32433 and 37607, and await instructions from a malicious user.

The compromised system will have a slow response time due to lag and slowness caused by multiple outbound connection attempts to random IP addresses across TCP port 139.

Detailed Analysis

The virus is 32-bit with a packed file size of 33,920 bytes. The virus exists on infected systems in the System32 folder with a polymorphic file name from replication to replication. When virus copies itself to the new host, it writes itself as %random%.exe, where %random% is a series of up to ten letters.

When the virus first runs, it tries to connect to a user account on the web server 'www3.simpatico.ca' and download a file named "Dsmsn.exe". The downloaded file is then run. It is a package file containing two files -

  • a Proxy Trojan named W32/Ranky.AP-tr

  • an updated version of W32/SDBot.RT-net.

Both Ranky and SDBot will be run, and are also scheduled to load into memory on the next Windows restart. The auto-load occurs due to a change made to the system registry as in these examples -

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"ffeqfqs" = dqddss.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"ffeqfqs" = dqddss.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
"ffeqfqs" = dqddss.exe

The virus installs a remote access Trojan component known as Ranky. This component is also registered to run at each Windows startup -

HKEY_CURRENT_USER\Software\WinRAR SFX
"C%%WINNT%SYSTEM32%" = C:\WINNT\SYSTEM32\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"vsddsas" = C:\winnt\system32\fqeeqfap.exe

The "Ranky" component binds with TCP port 37607 and awaits connections from a malicious user. Ranky sends a notification message via TCP port 80 by using a server side script - this is to alert malicious users who may be monitoring the server of a newly compromised system. The server side script is similar to this -

http://wowcraft.no-ip.org/public_html/a.php?37607

Meanwhile the virus will begin scanning random IP addresses using TCP port 139 in an attempt to locate possible targets of the virus. When a responding IP address is found, the virus SDBot attempts to connect with the target system using weak password combinations and a built-in dictionary attack.

Description Last Updated Date: Dec 08, 2004
Reference: ID - 7342