W32/SDBot.MR!worm
Analysis
Specifics
This virus is 32-bit with a packed file size of 82,701
bytes. This virus contains instructions to copy itself
to other systems across a network LAN/WAN, and also
respond to instructions received from a malicious user
after first connecting to an IRC server and channel.
When the virus copies itself to systems, the file is
saved into the System32 folder as "MSIEx.exe".
The file is executed remotely, which then copies itself
as "ntsyst32.exe" in the same folder.
Loading At Windows Startup
If virus is run, it will copy itself to the local system
into the drivers folder as "ntsyst32.exe"
and set a registry entry to load the virus as a service
at each Windows startup -
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"Threaded" = ntsyst32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
"Threaded" = ntsyst32.exe
IRC Connection
The virus attempts to make an IRC server connection
with the IP address 81.9.193.91. The connection uses
a destination TCP port 4564. The connection is used
mainly for communication messages however the open port
can be used by a malicious user to send instructions
to the virus.
Network Shares Infection Method
The virus may attempt to seek other machines on a network
and attempt to penetrate them by using a dictionary
attack method to log on to the target system. If a system
is vulnerable, the virus attempts to copy itself to
the target into these shares, where undefineds is an IP address
-
undefineds\\Admin$\\system32\\MSIEx.exe
undefineds\\C$\\winnt\\system32\\MSIEx.exe
undefineds\\C$\\windows\\system32\\MSIEx.exe
undefineds\\Admin$\\MSIEx.exe
undefineds\\ipc$
The virus may then send a notification message to an
IRC channel notifying the author of the virus that the
specific system has been infected. Depending on the
operating system, the virus sends one of these notification
messages -
PRIVMSG #iNFAMOUS :[NTScan - Exploited - c$\\sys32]
CSendFile: undefineds\r\n
PRIVMSG #iNFAMOUS :[NTScan - Exploited - WinXP sys32]
CSendFile: undefineds\r\n
PRIVMSG #iNFAMOUS :[NTScan - Exploited - WinNT sys32]
CSendFile: undefineds\r\n
PRIVMSG #iNFAMOUS :[NTScan - Exploited - admin$ sys32]
CSendFile: undefineds\r\n
Miscellaneous
The virus contains this string in its unpacked form
-
rBot 0.0.2 by Nils
Recommended Action
- Check the main screen using the web interface for
your FortiGate unit to ensure that the latest AV/NIDS
database has been downloaded and installed on your
system - if required, enable the "Allow Push
Update" option
- Using the FortiGate manager, block internal to external and external to internal access using TCP ports 4564 - it will require defining this port as a service prior to blocking it
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |