Virus:Worm/SdBot.138752.8
Date discovered:20/08/2007
Type:Worm
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low to medium
Damage Potential:Medium
Static file:Yes
File size:138.752 Bytes
MD5 checksum:5101877e880Eae72419d17cef84ee9b9
IVDF version:6.39.01.22 - Monday, August 20, 2007

 General Method of propagation:
   • Messenger


Aliases:
   •  Mcafee: W32/Sdbot.worm
   •  Kaspersky: Backdoor.Win32.SdBot.blt
   •  Eset: Win32/IRCBot.YW


Platforms / OS:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Disable security applications
   • Drops files
   • Lowers security settings
   • Registry modification
   • Makes use of software vulnerability
   • Steals information
   • Third party control

 Files It copies itself to the following location:
   • %WINDIR%\winsyshp.exe



It copies itself within an archive to the following location:
   • %WINDIR%\img317.zip



It deletes the following file:
   • C:\a.bat



The following file is created:

– C:\a.bat Furthermore it gets executed after it was fully created. This batch file is used to delete a file.



It tries to executes the following files:

– Filename:
   • %SYSDIR%\net.exe
using the following command line arguments: stop "Security Center"


– Filename:
   • %SYSDIR%\net.exe
using the following command line arguments: stop winvnc4


– Filename:
   • %SYSDIR%\net1.exe
using the following command line arguments: stop "Security Center"


– Filename:
   • %SYSDIR%\net1.exe
using the following command line arguments: stop winvnc4

 Registry The following registry key is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Microsoft Visual Application"="winsyshp.exe"

 Messenger It is spreading via Messenger. The characteristics are described below:

– Windows Live Messenger


Message
The sent message looks like one of the following:

   • Why is this picture blurry?

   • Look @ my new car?

   • Where did you find this picture?

   • why did you show me this picture?

   • look at my baby picture

   • Did you see this?

   • Where is this picture taken?

   • Did you take this picture?

   • you drunk 2 much in this picture

   • Why are you naked in this picture?

   • look @ this

   • accept this picture

   • hey, mom my just told me 2 show this 2 you


Propagation via file
It sends a file with the following name:
   • img317.zip

 IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: pwn.basecore.**********
Port: 1863
Server password: letmein
Channel: #PWN#
Nickname: %random character string%
Password: torrent



– This malware has the ability to collect and send the following information:
    • Malware uptime
    • Information about the Windows operating system


– Furthermore it has the ability to perform actions such as:
    • disconnect from IRC server
    • Download file
    • Execute file
    • Kill process
    • Restart system
    • Start spreading routine
    • Updates itself

 Process termination  List of services that are disabled:
   • Security Center
   • winvnc4

 Miscellaneous Mutex:
It creates the following Mutex:
   • fjasdf

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Adriana Popa on Friday, November 9, 2007
Description updated by Adriana Popa on Friday, November 9, 2007

Back . . . .