This application requires Javascript for optimal performance.

W32/SDBot.RT!worm - Released Nov 25, 2004 - Last Updated Dec 08, 2004

Alias/es Backdoor.Win32.SdBot.gen [KAV], W32/Ranky.RT-dr, W32/Ranky.RT-net, W32/SDBot.RT!worm, W32/Sdbot.worm.gen [McAfee]
Visible Symptoms An infected system has an open connection with the Internet on TCP ports 32433, 35255 and 37607. The compromised system will connect with an IRC server on TCP ports 32433 and 37607, and await instructions from a malicious user. The compromised system will have a slow response time due to lag and slowness caused by multiple outbound connection attempts to random IP addresses across TCP port 139.
Detailed Analysis The virus is 32-bit with a packed file size of 33,920 bytes. The virus exists on infected systems in the System32 folder with a polymorphic file name from replication to replication. When virus copies itself to the new host, it writes itself as %random%.exe, where %random% is a series of up to ten letters. When the virus first runs, it tries to connect to a user account on the web server 'www3.simpatico.ca' and download a file named "Dsmsn.exe". The downloaded file is then run. It is a package file containing two files - a Proxy Trojan named W32/Ranky.AP-tr an updated version of W32/SDBot.RT-net. Both Ranky and SDBot will be run, and are also scheduled to load into memory on the next Windows restart. The auto-load occurs due to a change made to the system registry as in these examples - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "ffeqfqs" = dqddss.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "ffeqfqs" = dqddss.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices "ffeqfqs" = dqddss.exe The virus installs a remote access Trojan component known as Ranky. This component is also registered to run at each Windows startup - HKEY_CURRENT_USER\Software\WinRAR SFX "C%%WINNT%SYSTEM32%" = C:\WINNT\SYSTEM32\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "vsddsas" = C:\winnt\system32\fqeeqfap.exe The "Ranky" component binds with TCP port 37607 and awaits connections from a malicious user. Ranky sends a notification message via TCP port 80 by using a server side script - this is to alert malicious users who may be monitoring the server of a newly compromised system. The server side script is similar to this - http://wowcraft.no-ip.org/public_html/a.php?37607 Meanwhile the virus will begin scanning random IP addresses using TCP port 139 in an attempt to locate possible targets of the virus. When a responding IP address is found, the virus SDBot attempts to connect with the target system using weak password combinations and a built-in dictionary attack.
Recommended Action Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option

Reference: ID - 7342

Current Threat Level

Vulnerabilities

Virus/Spyware

Spam

PGP Keys

Contact Form

Copyright © 2011 Fortinet Inc. All Rights Reserved