W32/RPC-SDBot.A!worm
Analysis
- Virus is 32bit with a compressed size of 24,064
bytes and runs memory resident by inserting its code
into the already running shell Exporer.exe
- If virus is run, it may copy itself to the temp
folder as "asrcs.txt" and then move itself
into the Windows\System32 folder as "winlogin.exe"
- virus may also create a related file "yuetyutr.dll"
(43,520 bytes) in the same folder
- The virus will then modify the registry to run
at Windows startup [note the rather long string] -
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runonce\
"winlogon" = "winlogin.exe linuzguy unchained rage 1.1 MIRC CHAIN SCRIPT tateravo asdasd#$@#$#@ASFDASASFASFASASASDASASFASDFASDASSDA SOFTWARE\"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"NDplDeamon" = winlogin.exe
"winlogon" = "winlogin.exe linuzguy unchained rage 1.1 MIRC CHAIN SCRIPT tateravo asdasd#$@#$#@ASFDASASFASFASASASDASASFASDFASDASSDA SOFTWARE\"
- Virus will attempt to identify and infect computers
on the same subnet by first enumerating them in the
network using SMB (server message block) protocol
on TCP port 138
- Virus will attempt to connect with these systems,
and if connected, will then attempt to exploit the
potential host using a known exploit against DCOM
RPC
- If the virus gains access to the system, it may
use TFTP (trivial ftp) instructions to download itself
to the victim machine, into the Windows\System32 folder
as winlogin.exe
- If the target system is infected, the virus will
launch the copied file remotely
- The virus will implement the IRC bot file created
as "yuetyutr.dll" and allow connections
to the infected host on TCP port 4444
- Virus may delete the file TFTP.EXE which is common
to the installation of Windows 2000
- Virus contains the string "spybot.dll"
in its code
Recommended Action
- Microsoft
recommended prevention methods -
- turn on Internet Connection Firewall (Windows XP or Windows Server 2003)
- Use FortiGate unit to block TCP ports 135, 139, 445 and 593; UDP port 135, 137,138;also UDP 69 (TFTP) and TCP 4444 for remote command shell
- ensure omputers are patched for the vulnerability that is identified in Microsoft Security Bulletin MS03-026
- Additional reference - How
to configure TCP/IP Filtering in Windows 2000