Virus:Worm/Sdbot.41906
Date discovered:13/09/2006
Type:Worm
In the wild:No
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:41.906 Bytes
MD5 checksum:1985be77497205b2b3575f6fb194baed
VDF version:6.35.01.217
IVDF version:6.35.01.221

 General Methods of propagation:
   • Local network
   • Messenger


Aliases:
   •  Kaspersky: Backdoor.Win32.SdBot.aad
   •  F-Secure: Backdoor.Win32.SdBot.aad
   •  Bitdefender: Backdoor.SDBot.10246257


Platforms / OS:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Disable security applications
   • Registry modification
   • Makes use of software vulnerability
   • Steals information
   • Third party control

 Files It copies itself to the following location:
   • %SYSDIR%\csrv.exe



It deletes the initially executed copy of itself.

 Registry The following registry keys are added in order to load the services after reboot:

– HKLM\SYSTEM\CurrentControlSet\Services\Sniff Managmnet Service
   • "Type"=dword:00000110
   • "Start"=dword:00000002
   • "ErrorControl"=dword:00000000
   • "ImagePath"="%SYSDIR%\csrv.exe"
   • "DisplayName"="Sniff Managmnet Service"
   • "ObjectName"="LocalSystem"
   • "FailureActions"=%hex values%
   • "Description"="Sniff Managmnet Service"

– HKLM\SYSTEM\CurrentControlSet\Services\Sniff Managmnet Service\Enum
   • "0"="Root\LEGACY_SNIFF_MANAGMNET_SERVICE\0000"
   • "Count"=dword:00000001
   • "NextInstance"=dword:00000001

– HKLM\SYSTEM\CurrentControlSet\Services\Sniff Managmnet Service\
   Security
   • "Security"=%hex values%



The following registry keys are added:

– HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
   • "AutoShareWks"=dword:00000000
   • "AutoShareServer"=dword:00000000

– HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
   • "DoNotAllowXPSP2"=dword:00000001



The following registry keys are changed:

– HKLM\SYSTEM\ControlSet001\Control\ServiceCurrent
   Old value:
   • "(default)"=dword:0000000d
   New value:
   • "(default)"=dword:0000000e

– HKLM\SYSTEM\CurrentControlSet\Control
   Old value:
   • "WaitToKillServiceTimeout"="20000"
   New value:
   • "WaitToKillServiceTimeout"="7000"

– HKLM\SOFTWARE\Microsoft\Security Center
   Old value:
   • "UpdatesDisableNotify"=%user defined settings%
   • "AntiVirusDisableNotify"=%user defined settings%
   • "FirewallDisableNotify"=%user defined settings%
   • "AntiVirusOverride"=%user defined settings%
   • "FirewallOverride"=%user defined settings%
   New value:
   • "UpdatesDisableNotify"=dword:00000001
   • "AntiVirusDisableNotify"=dword:00000001
   • "FirewallDisableNotify"=dword:00000001
   • "AntiVirusOverride"=dword:00000001
   • "FirewallOverride"=dword:00000001

Deactivate Windows Firewall:
– HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
   New value:
   • "EnableFirewall"=dword:00000000

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\
   Auto Update
   Old value:
   • "AUOptions"=%user defined settings%
   New value:
   • "AUOptions"=dword:00000001

– HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
   Old value:
   • "Start"=dword:00000002
   New value:
   • "Start"=dword:00000004

– HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr
   Old value:
   • "Start"=dword:00000003
   New value:
   • "Start"=dword:00000004

– HKLM\SYSTEM\CurrentControlSet\Services\RemoteRegistry
   Old value:
   • "Start"=dword:00000002
   New value:
   • "Start"=dword:00000004

– HKLM\SYSTEM\CurrentControlSet\Services\Messenger
   Old value:
   • "Start"=dword:00000002
   New value:
   • "Start"=dword:00000004

– HKLM\SYSTEM\CurrentControlSet\Control\Lsa
   Old value:
   • "restrictanonymous"=dword:00000000
   New value:
   • "restrictanonymous"=dword:00000001

– HKLM\SOFTWARE\Microsoft\Ole
   Old value:
   • "EnableDCOM"="Y"
   New value:
   • "EnableDCOM"="N"

 Messenger It is spreading via Messenger. The characteristics are described below:

– AIM Messenger

 Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.

It drops copies of itself to the following network shares:
   • IPC$
   • ADMIN$


Exploit:
It makes use of the following Exploits:
– MS03-026 (Buffer Overrun in RPC Interface)
– MS03-039 (Buffer Overrun in RPCSS Service)
– MS04-007 (ASN.1 Vulnerability)
– MS04-011 (LSASS Vulnerability)
– MS05-039 (Vulnerability in Plug and Play)


Infection process:
Creates an FTP script on the compromised machine in order to download the malware to the remote location.


Remote execution:
–It attempts to schedule a remote execution of the malware, on the newly infected machine. Therefore it uses the NetScheduleJobAdd function.

 IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: ircstyle**********
Port: 6667
Server password: nadjoe
Channel: #yourzniff
Nickname: [P00|USA|%number%]
Password: x



– This malware has the ability to collect and send information such as:
    • Current user
    • Free disk space
    • Free memory
    • Malware uptime
    • Information about the network
    • Information about running processes
    • Information about the Windows operating system


– Furthermore it has the ability to perform actions such as:
    • connect to IRC server
    • Disable DCOM
    • disconnect from IRC server
    • Download file
    • Edit registry
    • Enable DCOM
    • Execute file
    • Join IRC channel
    • Kill process
    • Leave IRC channel
    • Open remote shell
    • Perform DDoS attack
    • Perform network scan
    • Register a service
    • Shut down system
    • Start spreading routine
    • Updates itself

 Miscellaneous Mutex:
It creates the following Mutex:
   • ^M˜A

 File details Programming language:
 The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Teodor Onisor on Friday, September 22, 2006
Description updated by Teodor Onisor on Monday, September 25, 2006

Back . . . .