W32/SDBot!tr
Analysis
- Creates a mutex named memoptimizer to make sure that there is only one instance of the worm running.
- Copies itself to the System folder as memoptimize.exe and executes it. It then deletes the original file.
- Adds the following value to run itself at each Windows startup:
memory optimizer = "memoptimize.exe"
to the following subkeys:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Backdoor/Trojan Behavior
- Attempts to terminate the following processes:
- AvpM.exe
- avpcc.exe
- Avp32.exe
- Connects to the Internet Relay Chat (IRC) server ihaved.com, joins a channel, and listens for commands that allow the remote attacker to perform any of the following actions:
- Send user information to server
- Manage the installation of the back door
- Control the IRC client on a compromised computer
- Dynamically update the Trojan
- Send the Trojan to other IRC channels to attempt to compromise other computers
- Download and execute files
- Deliver system and network information to the attacker
Recommended Action
-
FortiGate systems:
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
Telemetry
Detection Availability
FortiGate | |
---|---|
Extreme | |
FortiClient | |
Extended | |
FortiMail | |
Extended | |
FortiSandbox | |
Extended | |
FortiWeb | |
Extended | |
Web Application Firewall | |
Extended | |
FortiIsolator | |
Extended | |
FortiDeceptor | |
Extended | |
FortiEDR |