Threat Encyclopedia
W32/SDBot.FP!worm
Analysis
- Virus is 32 bit with a file size of 112,672 bytes
- Virus may be introduced to the system from a connected
machine on the same network, or from an Internet connection
- If the virus is run, it will create two script
.BAT files into the undefinedTempundefined folder and are run
- The Temp .BAT files named "b.bat" and
"d.bat" use an ECHO instruction to redirect
output into two .BAT files in the undefinedWindowsundefined\System32
folder named "Runtime.bat" and "PCTime32.bat"
respectivel
- The temp .BAT file "b.bat" first deletes
any existing "Runtime.bat" in the undefinedWindowsundefined\System32
folder, then creates a new one with these instructions
-
- attempt to connect with a networked machine and logon with Admin priviledges
- stop the service named "navapsvc"
- create a copy of the virus on the target system as "Microsoft32.exe"
-
The temp .BAT file "d.bat" first deletes any existing "PCTime32.bat" in the undefinedWindowsundefined\System32 folder, then creates a new one with these instructions -
- attempt to logon to a networked system using the $IPC share, using the user name "e" with a password of "asd#321"
- make the file "Microsoft32.exe" read only
- initiate the file "Microsoft32.exe" remotely
-
The virus will load on an infected machine at Windows startup based on a registry modification -
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"Microsoft DirectX" = SMSS32.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
"Microsoft DirectX" = SMSS32.exe
-
The virus may delete the following registry key -
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Winlogon\
"Shell" = Explorer.exe
-
The virus will attempt to connect to the IP address 65.110.56.65 with a destination port of 1360
-
The virus will await instructions from a hacker or group of hackers which include some of the following actions -
- begin a PING or SYN attack flood
- download a binary
- scan NetBIOS for potential targets
-
Virus contains the string ".:: SXT v2.04 oWneD By: oWn-X TeAm since 1999 ::." in its code
Recommended Action
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
- Block external to internal (EXT -> INT) communication
using TCP port 445