Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:29/11/2005
In the wild:Yes
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:34.709 Bytes
MD5 checksum:3d6bd481eb390817f5599465dffc7986
VDF version:

 General Method of propagation:
   • Local network

   •  Symantec: W32.Randex
   •  TrendMicro: WORM_SDBOT.CKX
   •  Sophos: W32/Sdbot-Fam
   •  Panda: W32/Sdbot.FTB.worm
   •  VirusBuster: Worm.SdBot.BPA
   •  Bitdefender: Backdoor.SDBot.7897B21C

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Registry modification
   • Third party control

 Files It copies itself to the following location:
   • %SYSDIR%\richword.exe

 Registry The following registry keys are added in order to run the processes after reboot:

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   • "Alleria" = "richword.exe"

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
   • "Alleria" = "richword.exe"

– HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   • "Alleria" = "richword.exe"

 Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.

It drops copies of itself to the following network shares:
   • IPC$
   • C$\Documents and Settings\All Users\Documents\
   • C$\shared
   • C$\windows\system32
   • c$\winnt\system32
   • ADMIN$\system32\

It uses the following login information in order to gain access to the remote machine:

– A list of usernames and passwords:
   • oeminstall; staff; teacher; student1; student; afro; turnip; glen;
      freddy; fred; bill; intranet; lan; nokia; ctx; headoffice; main;
      userpassword; capitol; winpass; blank; office; mass; control; pink;
      yellow; siemens; compaq; dell; cisco; sqlpass; sql; db1234; db1;
      databasepassword; data; databasepass; dbpassword; dbpass; access;
      database; domainpassword; domainpass; domain; orange; heaven; fish;
      hell; god; sex; fuck; exchnge; exchange; backup; technical; sage; owa;
      loginpass; login; katie; kate; bruce; barbara; sam; ron; luke; peter;
      john; mike; qwe; zxc; asd; qaz; win2000; winnt; winxp; win2k; win98;
      windows; oemuser; oem; user1; user; homeuser; home; accounting;
      accounts; internet; www; web; default; changeme; none; guest; test;
      007; 121; adm; admin; administrateur; administrator; pass1234;
      password1; pwd; pass; passwd; password

 IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Port: 5570
Channel: #sk
Nickname: %eight-digit random character string%

– Furthermore it has the ability to perform the following action:
    • Launch DDoS SYN flood
    • Download file
    • Execute file
    • Updates itself

 Miscellaneous Mutex:
It creates the following Mutex:
   • swapme

 File details Programming language:
The malware program was written in MS Visual C++.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • MEW

Description inserted by Irina Boldea on Tuesday, April 11, 2006
Description updated by Irina Boldea on Tuesday, April 11, 2006

Back . . . .