Virus:Worm/SdBot.41984.42
Date discovered:07/08/2007
Type:Worm
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low to medium
Damage Potential:Medium
Static file:Yes
File size:41.984 Bytes
MD5 checksum:8f8b66e936ba101efc6e3cb5d1dec814
IVDF version:6.39.00.219 - Tuesday, August 7, 2007

 General Method of propagation:
   • Messenger


Aliases:
   •  Mcafee: W32/Checkout
   •  Kaspersky: Backdoor.Win32.SdBot.aad
   •  F-Secure: Backdoor.Win32.SdBot.aad
   •  Sophos: W32/Imagine-A
   •  Panda: W32/MSNPoopy.A.worm
   •  Grisoft: IRC-Worm/Delf.CF
   •  Eset: Win32/IRCBot.XZ
   •  Bitdefender: Backdoor.Sdbot.AUX


Platforms / OS:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Disable security applications
   • Drops files
   • Lowers security settings
   • Registry modification
   • Makes use of software vulnerability
   • Steals information
   • Third party control

 Files It copies itself to the following location:
   • %WINDIR%\svchost.exe



It copies itself within an archive to the following location:
   • %WINDIR%\img1756.zip



It deletes the following file:
   • C:\a.bat



The following file is created:

– C:\a.bat Furthermore it gets executed after it was fully created. This batch file is used to delete a file.



It tries to executes the following files:

– Filename:
   • %SYSDIR%\net.exe
using the following command line arguments: stop "Security Center"


– Filename:
   • %SYSDIR%\net.exe
using the following command line arguments: stop winvnc4


– Filename:
   • %SYSDIR%\net1.exe
using the following command line arguments: stop "Security Center"


– Filename:
   • %SYSDIR%\net1.exe
using the following command line arguments: stop winvnc4

 Registry The following registry key is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Microsoft Genuine Logon"="svchost.exe"

 Messenger It is spreading via Messenger. The characteristics are described below:

– Windows Live Messenger


Message
The sent message looks like one of the following:

   • look @ my cute new puppy :-D

   • look @ this picture of me, when I was a kid

   • I just took this picture with my webcam, like it?

   • check it, i shaved my head

   • have u seen my new hair?

   • what the fuck, did you see this?

   • hey man, did you take this picture?


Propagation via file
It sends a file with the following name:
   • img1756.zip

 IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: vpn.basecore.**********
Port: 1863
Server password: letmein
Channel: #VPN#
Nickname: %random character string%
Password: torrent



– This malware has the ability to collect and send the following information:
    • Malware uptime
    • Information about the Windows operating system


– Furthermore it has the ability to perform actions such as:
    • disconnect from IRC server
    • Download file
    • Execute file
    • Kill process
    • Restart system
    • Start spreading routine
    • Updates itself

 Process termination  List of services that are disabled:
   • Security Center
   • winvnc4

 Miscellaneous Mutex:
It creates the following Mutex:
   • JFangaY

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Adriana Popa on Friday, November 9, 2007
Description updated by Adriana Popa on Friday, November 9, 2007

Back . . . .