Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:Worm/SdBot.208896.6
Date discovered:18/11/2005
Type:Worm
In the wild:Yes
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:208.896 Bytes
MD5 checksum:2AB4B169221714C52AAF14E48A8E09E3
VDF version:6.32.00.192

 General Method of propagation:
   • Local network


Aliases:
   •  Symantec: W32.Spybot.Worm
   •  Kaspersky: Backdoor.Win32.SdBot.ain
   •  TrendMicro: WORM_RBOT.CUE
   •  Sophos: W32/Sdbot-AOL
   •  Grisoft: IRC/BackDoor.SdBot.OQE
   •  Eset: IRC/SdBot
   •  Bitdefender: Win32.Worm.Mybot.IP


Platforms / OS:
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Disable security applications
   • Drops a malicious file
   • Registry modification
   • Makes use of software vulnerability
   • Steals information
   • Third party control

 Files It copies itself to the following location:
   • %WINDIR%\gcxsrvc.exe



It deletes the initially executed copy of itself.



The following file is created:

%SYSDIR%\drivers\rofl.sys Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: BDS/Aimbot.AF.5

 Registry The following registry keys are added in order to load the services after reboot:

– [HKLM\SYSTEM\CurrentControlSet\Services\GCX Service]
   • "Type"=dword:00000110
   • "Start"=dword:00000002
   • "ErrorControl"=dword:00000000
   • "ImagePath"=hex(2):%WINDIR%\gcxsrvc.exe
   • "DisplayName"="GCX Service"
   • "ObjectName"="LocalSystem"
   • "FailureActions"=hex:%hex values%
   • "Description"="Provides Windows Access To Use The GCX Protocol"

– [HKLM\SYSTEM\CurrentControlSet\Services\GCX Service\Enum]
   • "0"="Root\\LEGACY_SVCWIN32UPDATE\\0000"
   • "Count"=dword:00000001
   • "NextInstance"=dword:00000001

– [HKLM\SYSTEM\CurrentControlSet\Services\GCX Service\Security]
   • "Security"=hex:%hex values%

– [HKLM\SYSTEM\CurrentControlSet\Services\rofl]
   • "Type"=dword:00000001
   • "Start"=dword:00000003
   • "ErrorControl"=dword:00000001
   • "ImagePath"=hex(2):%SYSDIR%\drivers\rofl.sys
   • "DisplayName"="rofl"

– [HKLM\SYSTEM\CurrentControlSet\Services\rofl\Security]
   • "Security"=hex:%hex values%

– [HKLM\SYSTEM\CurrentControlSet\Services\rofl\Enum]
   • "0"="Root\\LEGACY_ROFL\\0000"
   • "Count"=dword:00000001
   • "NextInstance"=dword:00000001



The value of the following registry key is removed:

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions]
   • "MK"="%malware execution directory%\%executed file%"



The following registry key is added:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions]
   • "IT"="%current date%, %current time%"
   • "RU"=%double-byte-characters%
   • "MK"="%malware execution directory%\%executed file%"



The following registry keys are changed:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\
   Auto Update]
   Old value:
   • "AUOptions"=%user defined settings%
   New value:
   • "AUOptions"=dword:00000001

– [HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]
   Old value:
   • "EnableFirewall"=%user defined settings%
   New value:
   • "EnableFirewall"=dword:00000000

– [HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]
   Old value:
   • "EnableFirewall"=%user defined settings%
   New value:
   • "EnableFirewall"=dword:00000000

– [HKLM\SOFTWARE\Microsoft\Security Center]
   Old value:
   • "UpdatesDisableNotify"=%user defined settings%
   • "AntiVirusDisableNotify"=%user defined settings%
   • "FirewallDisableNotify"=%user defined settings%
   • "AntiVirusOverride"=%user defined settings%
   • "FirewallOverride"=%user defined settings%
   New value:
   • "UpdatesDisableNotify"=dword:00000001
   • "AntiVirusDisableNotify"=dword:00000001
   • "FirewallDisableNotify"=dword:00000001
   • "AntiVirusOverride"=dword:00000001
   • "FirewallOverride"=dword:00000001

– [HKLM\SYSTEM\CurrentControlSet\Control\Lsa]
   Old value:
   • "restrictanonymous"=%user defined settings%
   New value:
   • "restrictanonymous"=dword:00000001

– [HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]
   Old value:
   • "AutoShareWks"=%user defined settings%
   • "AutoShareServer"=%user defined settings%
   New value:
   • "AutoShareWks"=dword:00000000
   • "AutoShareServer"=dword:00000000

– [HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\
   parameters]
   Old value:
   • "AutoShareWks"=%user defined settings%
   • "AutoShareServer"=%user defined settings%
   New value:
   • "AutoShareWks"=dword:00000000
   • "AutoShareServer"dword:00000000

– [HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
   Old value:
   • "DoNotAllowXPSP2"=%user defined settings%
   New value:
   • "DoNotAllowXPSP2"=dword:00000001

– [HKLM\Software\Microsoft\OLE]
   Old value:
   • "EnableDCOM"=%user defined settings%
   New value:
   • "EnableDCOM"="N"

– [HKLM\SYSTEM\CurrentControlSet\Control]
   Old value:
   • "WaitToKillServiceTimeout"=%user defined settings%
   New value:
   • "WaitToKillServiceTimeout"="7000"

 Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.

It drops copies of itself to the following network shares:
   • d$\windows\system32
   • d$\winnt\system32
   • c$\windows\system32
   • c$\winnt\system32
   • Admin$\system32
   • Admin$
   • IPC$
   • C$
   • %all shared folders%


It uses the following login information in order to gain access to the remote machine:

– A list of usernames and passwords:
   • admin; root; server; asdfgh; asdf; !@; $%^&; !@; $%^; !@; $%; !@; $;
      654321; 123456; 12345; 1234; 123; 111; administrator



Exploit:
It makes use of the following Exploits:
– MS02-061 (Elevation of Privilege in SQL Server Web)
– MS03-026 (Buffer Overrun in RPC Interface)
– MS03-039 (Buffer Overrun in RPCSS Service)
– MS03-049 (Buffer Overrun in the Workstation Service)
– MS04-007 (ASN.1 Vulnerability)
– MS04-011 (LSASS Vulnerability)
– MS05-039 (Vulnerability in Plug and Play)


Infection process:
Creates an FTP script on the compromised machine in order to download the malware to the remote location.


Remote execution:
–It attempts to schedule a remote execution of the malware, on the newly infected machine. Therefore it uses the NetScheduleJobAdd function.

 IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: please.syn-flood.**********
Port: 7000
Server password: 95A55AF65B1D42616B4D6C5
Channel: #GCX
Nickname: [%operating system%|P|USA|%number%]
Password: 5B7BB38F4BDF71513DEE624



– This malware has the ability to collect and send information such as:
    • CPU speed
    • Current user
    • Details about drivers
    • Free disk space
    • Free memory
    • Malware uptime
    • Information about the network
    • Information about running processes
    • Size of memory


– Furthermore it has the ability to perform actions such as:
    • Launch DDoS ICMP flood
    • Launch DDoS SYN flood
    • Launch DDoS UDP flood
    • Disable network shares
    • Download file
    • Enable network shares
    • Execute file
    • Join IRC channel
    • Kill process
    • Perform network scan
    • Perform port redirection
    • Start spreading routine
    • Updates itself

 Process termination  List of services that are disabled:
   • Windows Firewall/ICS
   • Security Center
   • Messenger
   • Remote Registry
   • Telnet

 Backdoor Contact server:
One of the following:
   • http://hpcgi1.nifty.com/mute/c/**********
   • http://www.age.ne.jp/x/maxwell/cgi-bin/**********
   • http://www2.dokidoki.ne.jp/tomocrus/cgi-bin/check/**********
   • http://cgi14.plala.or.jp/little_w/**********
   • http://yia.s22.xrea.com/**********
   • http://www.kinchan.net/cgi-bin/**********

This is done via the HTTP GET request on a CGI script.

 Stealing It tries to steal the following information:
– Recorded passwords used by the AutoComplete function
– Email account information obtained from the registry key: HKCU\Software\Microsoft\Internet Account Manager\Accounts

– Passwords from the following programs:
   • MSN
   • Outlook Express
   • AOL Instant Messenger

 Miscellaneous  Checks for an internet connection by contacting the following web site:
   • http://windowsupdate.microsoft.com


Anti debugging
It checks if the following program is running:
   • SoftIce


 Rootkit Technology It is a malware-specific technology. The malware hides its presence from system utilities, security applications and in the end, from the user.


Hides the following:
– Its own process

 File details Programming language:
The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX

Description inserted by Iulia Diaconescu on Thursday, October 26, 2006
Description updated by Iulia Diaconescu on Monday, November 6, 2006

Back . . . .