VirusW32/SDBot!tr
Analysis
- Creates a mutex named memoptimizer to make sure that there is only one instance of the worm running.
- Copies itself to the System folder as memoptimize.exe and executes it. It then deletes the original file.
- Adds the following value to run itself at each Windows startup:
memory optimizer = "memoptimize.exe"
to the following subkeys:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Backdoor/Trojan Behavior
- Attempts to terminate the following processes:
- AvpM.exe
- avpcc.exe
- Avp32.exe
- Connects to the Internet Relay Chat (IRC) server ihaved.com, joins a channel, and listens for commands that allow the remote attacker to perform any of the following actions:
- Send user information to server
- Manage the installation of the back door
- Control the IRC client on a compromised computer
- Dynamically update the Trojan
- Send the Trojan to other IRC channels to attempt to compromise other computers
- Download and execute files
- Deliver system and network information to the attacker
Recommended Action
-
FortiGate systems:
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
Telemetry
Detection Availability
| FortiGate | |
|---|---|
| Extreme | |
| FortiClient | |
| Extended | |
| FortiMail | |
| Extended | |
| FortiSandbox | |
| Extended | |
| FortiWeb | |
| Extended | |
| Web Application Firewall | |
| Extended | |
| FortiIsolator | |
| Extended | |
| FortiDeceptor | |
| Extended | |
| FortiEDR |