English
Deutsch
Francais
Español
Italian
Home
Virus Info
Worm/SdBot.55808.28
Search
Home
Support
Solutions
Products
Downloads
Virus Info
Statistics
Phishing Worldmap
VDF History
Virus Science
Submit Sample
Security News
Viruses In the Wild
Company
Press
Partners
Newsletter
Worm/SdBot.55808.28 - Worm
See also
Summary
Full description
Statistics
How would you rate this information?
Worthless
Excellent
Virus:
Worm/SdBot.55808.28
Date discovered:
18/08/2005
Type:
Worm
Subtype:
ircbot
In the wild:
No
Reported Infections:
Low
Distribution Potential:
Medium
Damage Potential:
Medium
Static file:
Yes
File size:
55.808 Bytes
MD5 checksum:
30961b5fc6db0469e725a98ed0941705
VDF version:
6.31.1.50
General
Methods of propagation:
• Local network
• Mapped network drives
Aliases:
• Symantec: W32.Randex
• Mcafee: W32/Sdbot.worm.gen.bj
• Kaspersky: Backdoor.Win32.SdBot.gen
• VirusBuster: Worm.SdBot.BBX
Platforms / OS:
• Windows 95
• Windows 98
• Windows 98 SE
• Windows NT
• Windows ME
• Windows 2000
• Windows XP
Side effects:
• Downloads malicious files
• Registry modification
• Makes use of software vulnerability
• Steals information
• Third party control
Files
It copies itself to the following location:
•
%SYSDIR%
\NAVARSVC.exe
Registry
The following registry keys are added in order to run the processes after reboot:
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
• "Microsoft Video Capture Controls"="NAVARSVC.exe"
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
• "Microsoft Video Capture Controls"="NAVARSVC.exe"
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
• "Microsoft Video Capture Controls"="NAVARSVC.exe"
Network Infection
In order to ensure its propagation the malware attemps to connect to other machines as described below.
It drops copies of itself to the following network shares:
• IPC$
• D$
• print$
• c$
• Admin$
• c$\windows\system32
• c$\winnt\system32
• Amin$\system32
It uses the following login information in order to gain access to the remote machine:
– The following list of passwords:
• "zxcv"; "zxc"; "zulu"; "zombie"; "zmodem"; "zimmerman"; "zimmerma";
"ziggy"; "zeitgeis"; "zebra"; "zap"; "yxcv"; "youwontguessme";
"young"; "yosemite"; "yolanda"; "yellowstone"; "yellowst"; "yellow";
"yankee"; "yang"; "yaco"; "xyzzy"; "xyz"; "xxxxxxxxx"; "xxxxxxxx";
"xxxxxxx"; "xxxxxx"; "xxxxx"; "xxxx"; "xxx"; "xray"; "xmodem"; "xmen";
"xman"; "xfer"; "xena"; "wyoming"; "wwwadmin"; "www"; "wwii"; "WRITE";
"wormwood"; "worm"; "work"; "worf"; "wordperf"; "word"; "woodwind";
"wood"; "women"; "wombat"; "woman"; "wolverin"; "wolf"; "wizard";
"within"; "wiseass"; "wisconsin"; "wisconsi"; "wired"; "winxp";
"winston"; "winpass"; "winnt"; "wing"; "wine"; "windozexp";
"windozeME"; "windoze98"; "windoze95"; "windoze2k"; "windoze";
"windowz"; "WindowsXP"; "windowsME"; "windows98"; "windows95";
"windows2k"; "windows"; "windose"; "win98"; "win2k"; "win2000"; "win";
"wilma"; "willie"; "williamsburg"; "williams"; "william"; "will";
"wileecoyote"; "whore"; "wholesale"; "wholesal"; "whitney"; "whiting";
"white"; "whisky"; "whatnot"; "whatever"; "wh0re"; "wh0r3"; "western";
"west"; "werewolf"; "wendy"; "wendi"; "well"; "weenie"; "weed";
"wednesda"; "webpage"; "web"; "wave"; "water"; "watchwor"; "wasp";
"warren"; "warp"; "wargames"; "warfare"; "warez"; "ward"; "waco";
"w00t"; "vodka"; "visualba"; "visual"; "visitor"; "virus"; "virginia";
"virgin"; "village"; "videogam"; "video"; "victor"; "vicky";
"vertigo"; "veronica"; "venus"; "vasant"; "vampire"; "valerie";
"vagina"; "uwontguessme"; "uucp"; "utility"; "util"; "usmc";
"userpassword"; "username"; "usermane"; "user1"; "User"; "USER";
"user"; "usenet"; "ursula"; "urchin"; "uranus"; "upload"; "unlock";
"Unknown"; "unknown"; "unix"; "universi"; "universe"; "universa";
"uniform"; "unicorn"; "unhappy"; "undo"; "uncle"; "umesh"; "ugly";
"tuttle"; "turnip"; "turn"; "tuesday"; "tubas"; "tty"; "truth";
"true"; "tron"; "trombone"; "trojan"; "trivial"; "trisha"; "trek";
"tree"; "trapdoor"; "trap"; "transfer"; "trails"; "tracy"; "tracie";
"traci"; "toyota"; "toxic"; "tortoise"; "topography"; "topograp";
"tomato"; "tokenrin"; "token"; "toggle"; "toad"; "tits"; "tina";
"time"; "tiger"; "tiffany"; "thursday"; "thin"; "theresa"; "thailand";
"text"; "tetris"; "testing"; "testin"; "tester"; "test123"; "Test";
"test"; "TEST"; "tess"; "terminat"; "terminal"; "tera"; "tennis";
"temptation"; "temptati"; "temp123"; "temp"; "TEMP"; "telnet";
"telephone"; "telephon"; "teenage"; "teen"; "technical"; "tech";
"tears"; "teapot"; "team"; "teacher"; "taylor"; "tarragon"; "target";
"tara"; "tape"; "tango"; "tangerine"; "tangerin"; "tammy"; "tamie";
"tami"; "tamara"; "tall"; "talk"; "tabasco"; "SYSTEM"; "system";
"sysop"; "sysadmin"; "sys"; "symmetry"; "sybil"; "sybase"; "sword";
"switch"; "sweat"; "swearer"; "suzie"; "suzanne"; "susie"; "susanne";
"susan"; "surfing"; "surfer"; "supported"; "supporte"; "support";
"supervis"; "superuser"; "superuse"; "superstage"; "supersta";
"superson"; "superman"; "super"; "sunday"; "sun"; "summer"; "sue";
"sucks"; "suckmydi"; "suck"; "success"; "subway"; "subscrib";
"stuttgart"; "stuttgar"; "student1"; "student"; "strip"; "string";
"streetfi"; "stratford"; "stratfor"; "strangle"; "strange"; "stones";
"stoned"; "stoneage"; "steve"; "stereo"; "stephanie"; "stephani";
"steph"; "steel"; "steal"; "steak"; "starwars"; "startup"; "startrek";
"start"; "starship"; "star"; "Standard"; "staff"; "stacy"; "stacie";
"staci"; "stacey"; "sr71"; "squires"; "sqlpass"; "sqlagent"; "sql";
"spunk"; "springer"; "spring"; "spred"; "spit"; "spiderma"; "spider";
"spice"; "spencer"; "spell"; "spear"; "sparrows"; "spaceshi";
"spaceman"; "south"; "source"; "sossina"; "sonya"; "sonic"; "sonia";
"sondra"; "somebody"; "software"; "soft"; "sodomy"; "socrates";
"social"; "soap"; "snoopy"; "snatch"; "snake"; "snafu"; "snach";
"smut"; "smtp"; "smother"; "smooch"; "smiles"; "smile"; "smart";
"small"; "slut"; "slow"; "sliders"; "slick"; "slave"; "skull"; "site";
"single"; "singer"; "simulati"; "simpsons"; "simple"; "simon";
"simcity"; "silver"; "signature"; "signatur"; "sierra"; "siemens";
"sick"; "shuttle"; "short"; "shivers"; "shiva"; "shitpot"; "shit";
"shirley"; "shift"; "sherri"; "shell"; "sheldon"; "sheffield";
"sheffiel"; "sharon"; "sharks"; "shark"; "SHARE"; "sharc"; "shannon";
"sexy"; "sex"; "sesame"; "service"; "SERVER"; "server"; "serial";
"serenity"; "sentry"; "sentinel"; "sensor"; "sega"; "seed";
"security"; "secret"; "search"; "scriptkiddie"; "script"; "scout";
"scotty"; "scott"; "scorpion"; "scifi"; "schoolsucks"; "school";
"scheme"; "scamper"; "saxon"; "saturn"; "saturday"; "satanik";
"satanic"; "satan"; "sarah"; "sara"; "sandy"; "sandra"; "sample";
"samantha"; "sam"; "salt"; "sale"; "salami"; "sal"; "sage"; "safe";
"ruth"; "rush"; "running"; "rules"; "rude"; "ruby"; "ruben"; "rubber";
"RPC"; "rough"; "Ross"; "roses"; "rosemary"; "rosebud"; "rose";
"RoscoPColtrane"; "RoscoP"; "Rosco"; "rooted"; "ROOT"; "root";
"ronald"; "ron"; "romulan"; "romeo"; "romano"; "rolex"; "rodent";
"rockyhor"; "rocky"; "rock"; "rochester"; "rocheste"; "rochelle";
"robyn"; "robotics"; "robot"; "robin"; "robert"; "roach"; "rje";
"risc"; "ripple"; "riot"; "ring"; "rightwin"; "right"; "riffraff";
"rick"; "rich"; "rhino"; "reveal"; "resistan"; "republic"; "report";
"rent"; "reno"; "renee"; "remote"; "release"; "regional"; "referenc";
"redhead"; "reddawn"; "record"; "rebel"; "rebecca"; "rebal"; "reaper";
"ream"; "really"; "reality"; "reagan"; "READ"; "razor"; "rascal";
"rape"; "random"; "raleigh"; "raindrop"; "rainbow"; "rain"; "raid";
"RAGE"; "rachmaninoff"; "rachmani"; "rachelle"; "rachel"; "rabbit";
"r00t"; "qwerty"; "qwert"; "qwer"; "qwe"; "quebec"; "qaz"; "pwd";
"pw123"; "pussy"; "puppet"; "punk"; "punisher"; "puneet"; "pumpkin";
"puke"; "puck"; "public"; "pub"; "psychopa"; "psycho"; "protozoa";
"protect"; "prompt"; "program"; "profile"; "professor"; "professo";
"processo"; "proceed"; "privs"; "private"; "priv"; "printer";
"princeton"; "princeto"; "prince"; "presto"; "prelude"; "precious";
"praise"; "power"; "poster"; "post"; "porsche"; "porno"; "porn";
"pork"; "poor"; "poop"; "pondering"; "ponderin"; "polynomial";
"polynomi"; "polly"; "police"; "poetry"; "plymouth"; "pluto";
"plover"; "playboy"; "plane"; "pizza"; "piss"; "pinname"; "pink";
"pimp"; "pierre"; "pick"; "phuck"; "phreak"; "phrase"; "phrack";
"photon"; "phone"; "phoenix"; "philip"; "phil"; "peter"; "pete";
"pervert"; "persona"; "persimmon"; "persimmo"; "permit"; "perfect";
"percolate"; "percolat"; "pepsi"; "pepper"; "peoria"; "pentium";
"penthous"; "pentagra"; "pentagon"; "penname"; "penis"; "Penis";
"penguin"; "penelope"; "pencil"; "pecker"; "peanuts"; "paula";
"patty"; "patriot"; "patrick"; "patricia"; "pat"; "paste";
"password123"; "password1"; "Password"; "PASSWORD"; "password";
"passwd"; "passphra"; "pass1234"; "pass123"; "pass"; "pascal";
"papers"; "paper"; "papa"; "pamela"; "pam"; "pakistan"; "paint";
"painless"; "pad"; "packer"; "packard"; "pacific"; "oxford"; "Owner";
"OWNER"; "owner"; "owned"; "own"; "owa"; "outside"; "output";
"outlook"; "outlaw"; "outdoors"; "osiris"; "oscar"; "orwell";
"orient"; "orca"; "orange"; "oracle"; "operator"; "opensesa";
"openlock"; "opening"; "open"; "omega"; "olivia"; "olivetti";
"oldage"; "okay"; "office"; "oemuser"; "oeminstall"; "OEM"; "oem";
"ocelot"; "oceanography"; "oceanogr"; "obscurit"; "nyquist"; "nuts";
"nutrition"; "nutritio"; "number"; "null"; "nukem"; "nuke"; "nude";
"nuclear"; "noxious"; "november"; "novel"; "nova"; "noth"; "notes";
"noreen"; "noob"; "none"; "nokia"; "node"; "nobody"; "noble";
"nnaacp"; "nita"; "nintendo"; "Nilez"; "nightmar"; "night";
"nicotine"; "nicole"; "nice"; "next"; "newyork"; "newton"; "newsgrou";
"news"; "newborn"; "new"; "network"; "netscape"; "netfuck";
"netdevil"; "netbios"; "net-devil"; "net"; "ness"; "neptune";
"nepenthe"; "neil"; "navy"; "nasa"; "napoleon"; "nancy"; "name";
"nagel"; "mypc123"; "mypc"; "mypass123"; "mypass"; "mutant";
"muppets"; "msdos"; "mpeg"; "mozart"; "movies"; "movie"; "move";
"mouse"; "mountain"; "mosaic"; "mortgage"; "mortalco"; "mortal";
"morris"; "morley"; "more"; "moose"; "moor"; "moom"; "monica";
"monday"; "moguls"; "mogul"; "modem"; "mode"; "mkii"; "mit";
"mission"; "misfit"; "mirc"; "minsky"; "minimum"; "mine"; "mike";
"midieval"; "microsof"; "micropro"; "microchi"; "micro"; "mickey";
"michelle"; "michele"; "michelan"; "michel"; "michael"; "mice"; "mgr";
"mets"; "metalica"; "metalhea"; "metal"; "merlin"; "mercury"; "menu";
"menace"; "memory"; "member"; "melrose"; "mellon"; "melissa"; "megan";
"megadeth"; "megabyte"; "meagan"; "maurice"; "Matthew"; "Matt";
"math"; "Mat"; "master"; "mass"; "mason"; "mary"; "marvin"; "marty";
"mars"; "marriage"; "marni"; "markus"; "mark"; "marines"; "marijuan";
"marietta"; "mariens"; "maria"; "marcy"; "marci"; "mara"; "manager";
"mana"; "malcom"; "malcolm"; "maint"; "main"; "mail"; "magnet";
"magic"; "maggot"; "macro"; "mack"; "macintosh"; "macintos";
"machine"; "lynne"; "lynn"; "lust"; "luke"; "lude"; "lucy"; "lucus";
"luck"; "lover"; "lovebug"; "love"; "louis"; "loser"; "lorraine";
"lorin"; "lori"; "lore"; "loose"; "lolopc"; "lol"; "lois"; "logout";
"loginwor"; "loginpass"; "Login"; "login"; "logic"; "lockword";
"lockout"; "lock"; "LOCAL"; "load"; "liz"; "live"; "literatu"; "lisp";
"lisa"; "lips"; "lion"; "linux"; "link"; "linda"; "limited";
"limbaugh"; "lima"; "lightsab"; "light"; "life"; "licker"; "lick";
"library"; "liberal"; "lexluthe"; "lewis"; "letmein"; "leslie";
"lesbian"; "leroy"; "leland"; "legal"; "leftwing"; "left"; "leet";
"lee"; "lebesgue"; "leah"; "lazer"; "lazarus"; "lava"; "laura";
"laser"; "larry"; "larkin"; "lara"; "laptop"; "lana"; "lan";
"lamination"; "laminati"; "lambda"; "lakers"; "ladle"; "ladies";
"l33t"; "l337"; "kristy"; "kristine"; "kristin"; "kristie"; "kristi";
"kristen"; "krista"; "known"; "knightma"; "knight"; "knife";
"klingon"; "kitten"; "kissmyas"; "kiss"; "kirkland"; "kirk"; "king";
"kimberly"; "kim"; "kilo"; "killthem"; "killer"; "kill"; "kids";
"kiddie"; "keyword"; "keyin"; "keybord"; "key"; "kewl"; "kevin";
"kerry"; "kerrie"; "kerri"; "kernel"; "kermit"; "keri"; "kelly";
"katrina"; "katina"; "katie"; "kathy"; "kathrine"; "kathleen"; "kate";
"katana"; "karina"; "karie"; "karen"; "kaka"; "jupiter"; "june";
"juliet"; "julie"; "julia"; "juicy"; "juggle"; "judy"; "judith";
"joyce"; "joy"; "journal"; "joshua"; "joseph"; "johnny"; "johndoe";
"john"; "joe"; "jody"; "joanne"; "joan"; "jixian"; "jill"; "jewelry";
"jester"; "jessica"; "jerusale"; "jerry"; "jenny"; "jennifer";
"jenni"; "jen"; "jeff"; "jeanne"; "jean"; "jazz"; "java"; "jasmin";
"japan"; "janie"; "janice"; "janet"; "jane"; "jail"; "jackie"; "isis";
"irule"; "irishman"; "irene"; "Inviter"; "invent"; "intranet";
"internet"; "Internet"; "integer"; "inside"; "input"; "innocuous";
"innocuou"; "inna"; "ingrid"; "ingress"; "ingres"; "indians";
"indiana"; "indian"; "india"; "include"; "imperial"; "immortal";
"imbroglio"; "imbrogli"; "image"; "illumina"; "ihavenopass";
"icecream"; "ibm"; "ian"; "hypertxt"; "hyper"; "hydrogen"; "hutchins";
"hunter"; "hunt"; "http"; "hotel"; "hotdog"; "host"; "horus"; "horse";
"horror"; "horrible"; "horny"; "hooters"; "hooker"; "honey";
"homework"; "homeuser"; "homer"; "homepage"; "home"; "hollywoo";
"holly"; "hole"; "hits"; "hitler"; "highland"; "high"; "hidden";
"hibernia"; "hiawatha"; "hexadeci"; "hewlett"; "heroin"; "hero";
"herbert"; "herb"; "help"; "hello"; "hell"; "heinlein"; "heidi";
"hebrides"; "heaven"; "heather"; "heathen"; "heat"; "headoffice";
"headbang"; "head"; "haxing"; "hax0r"; "hax"; "hawaii"; "haven";
"hate"; "harvey"; "harold"; "harmony"; "harddriv"; "hardcore"; "hard";
"happening"; "happenin"; "handjob"; "handily"; "handel"; "hamster";
"hamlet"; "hallowee"; "hal"; "hair"; "hagar"; "hacker"; "hacked";
"hack"; "h4x1ng"; "h4x0ring"; "h4x0r1ng"; "guntis"; "gumption";
"guitar"; "Guest"; "GUEST"; "guest"; "guessme"; "guess"; "gucci";
"guardian"; "gryphon"; "group"; "green"; "great"; "grant"; "grand";
"grahm"; "graham"; "grades"; "govermen"; "gouge"; "gosling"; "gorges";
"gorgeous"; "good"; "golfer"; "golf"; "golden"; "gold"; "godblessyou";
"god"; "gobo"; "gnu"; "glen"; "glacier"; "girl"; "ginger"; "gina";
"gigabyte"; "gibson"; "ghost"; "gertrude"; "germ"; "george"; "gauss";
"gatt"; "gatherin"; "gateway"; "Gast"; "garfield"; "gardner"; "games";
"gabriel"; "fungible"; "function"; "fun"; "FULL"; "fudge"; "fuckyou";
"fuckme"; "fucking"; "fucker"; "fucked"; "fuck"; "fubar"; "fryguy";
"frog"; "frighten"; "friends"; "friend"; "friday"; "french";
"freedom"; "free"; "freddy"; "fred"; "freak"; "frank"; "france";
"foxtrot"; "fourier"; "forsythe"; "fornicat"; "format"; "form";
"forever"; "foresight"; "foresigh"; "ford"; "force"; "football";
"foolproof"; "foolproo"; "fool"; "food"; "foobar"; "flowers";
"flower"; "florida"; "float"; "flakes"; "fishers"; "fish"; "firewall";
"fire"; "finite"; "FILES"; "file"; "fight"; "field"; "fidelity";
"ferrari"; "fermat"; "fender"; "felicia"; "feds"; "fear"; "fast";
"fart"; "faraday"; "farad"; "family"; "false"; "falcon"; "faith";
"fairway"; "extension"; "extensio"; "explosiv"; "explorer"; "explore";
"explode"; "expert"; "exchnge"; "exchange"; "evelyn"; "euclid";
"eternity"; "estate"; "establish"; "establis"; "ersatz"; "erotic";
"erin"; "erika"; "erica"; "eric"; "erenity"; "enzyme"; "enterprise";
"enterpri"; "enter"; "english"; "england"; "engineer"; "engine";
"enemy"; "enable"; "emmanuel"; "emily"; "emerald"; "email"; "ellen";
"elizabeth"; "elizabet"; "elephant"; "electron"; "elanor"; "elaine";
"einstein"; "einsiein"; "eileen"; "eiderdown"; "eiderdow"; "egghead";
"edwina"; "edwin"; "education"; "educatio"; "edu"; "edition"; "edit";
"edinburgh"; "edinburg"; "edges"; "eddie"; "echo"; "eatme"; "easy";
"easier"; "earth"; "eagle"; "eager"; "dyke"; "dungeon"; "duncan";
"dulce"; "duke"; "duelist"; "dudette"; "dude"; "dud3"; "duck";
"drought"; "drive"; "drdoom"; "dragon"; "download"; "dos"; "dope";
"doors"; "door"; "doonesbu"; "doomsday"; "doomii"; "doom2"; "doom";
"dong"; "donaldduck"; "domainpassword"; "domainpass"; "domain";
"dollar"; "dog"; "doctor"; "display"; "disney"; "diskette"; "disk";
"discovery"; "discover"; "disclose"; "discipli"; "disc"; "dirty";
"director"; "direct"; "dipshit"; "dinosaur"; "digital"; "dieter";
"diet"; "diehard"; "dick"; "dice"; "diane"; "diana"; "diamond";
"dial"; "devil"; "device"; "develop"; "desperate"; "desperat";
"desktop"; "desk"; "desiree"; "dennis"; "denise"; "democrat"; "demo";
"DEMO"; "deluge"; "delta"; "Dell"; "dell"; "defoe"; "Default";
"DEFAULT"; "default"; "deck"; "december"; "debug"; "deborah";
"debbie"; "deb"; "deathsta"; "death"; "dead"; "dbpassword"; "dbpass";
"db1234"; "db1"; "dawn"; "dave"; "databasepassword"; "databasepass";
"database"; "data"; "darkaven"; "dark"; "dapper"; "danny"; "danielle";
"daniel"; "dancer"; "dana"; "daisy"; "daemon"; "d00d"; "cynthia";
"cyberspa"; "cyberpun"; "cyber"; "customer"; "cunt"; "ctx"; "cshrc";
"crystal"; "cristina"; "criminal"; "crime"; "cretin"; "creosote";
"credit"; "creature"; "creation"; "create"; "cream"; "crash";
"crackpot"; "crack"; "cowboy"; "couscous"; "country"; "counters";
"correct"; "cornelius"; "corneliu"; "copy"; "cops"; "copper";
"cooper"; "cool"; "cookie"; "cookbook"; "cook"; "control"; "continue";
"console"; "conserva"; "connie"; "connect"; "condom"; "condo";
"comrades"; "comrade"; "computin"; "computer"; "compaq"; "company";
"commrades"; "commrade"; "commit"; "comics"; "combat"; "color";
"collins"; "cold"; "cola"; "coke"; "coin"; "coffee"; "codeword";
"codename"; "code"; "cock"; "cocainco"; "cocacola"; "coast";
"clusters"; "cluster"; "clinton"; "cleavage"; "claymore"; "claudia";
"classic"; "classes"; "class"; "cisco"; "cindy"; "cigarett"; "cigar";
"CHT"; "christy"; "christine"; "christina"; "christin"; "chris";
"chip"; "chester"; "chess"; "chemistry"; "chemistr"; "chem"; "CHECK";
"chat"; "charon"; "charming"; "charlie"; "charles"; "charity";
"Changeme"; "changeme"; "change"; "cerulean"; "celtics"; "celtic";
"celt"; "cecily"; "cayuga"; "cave"; "cathy"; "catholic"; "catherine";
"catherin"; "cat"; "castle"; "cash"; "cascades"; "carson"; "carrie";
"caroline"; "carolina"; "carole"; "carol"; "carmen"; "carla"; "caren";
"cardinal"; "card"; "capture"; "captain"; "capitol"; "cantor";
"candy"; "candi"; "camping"; "campanile"; "campanil"; "camille";
"californ"; "cad"; "butthead"; "butt"; "butch"; "burn"; "burgess";
"bung"; "bumbling"; "bullshit"; "bulls"; "bsd"; "brutefor"; "brute";
"brunette"; "bruce"; "brothel"; "broadway"; "bridget"; "brian";
"brenda"; "breast"; "break"; "bravo"; "brandy"; "brandi"; "bradley";
"boyscout"; "BOTH"; "born"; "book"; "boobs"; "boob"; "boner"; "bomb";
"bob"; "board"; "blues"; "blue"; "blowjob"; "blow"; "bloodaxe";
"blood"; "blondie"; "blonde"; "blank"; "black"; "bla"; "bitnet";
"bitmap"; "bitch"; "bishop"; "bird"; "bios"; "binary"; "billy";
"bill"; "bigfoot"; "bicameral"; "bicamera"; "bible"; "beverly";
"betty"; "betsie"; "beth"; "beta"; "beryl"; "berliner"; "berlin";
"berkeley"; "beowulf"; "benz"; "beloved"; "bell"; "behead"; "begin";
"beethoven"; "beethove"; "becky"; "beaver"; "beauty"; "beater";
"beast"; "bear"; "beammeup"; "beach"; "batman"; "batch"; "bassoon";
"bass"; "basic"; "baseball"; "bartman"; "bart"; "baritone"; "barf";
"bare"; "barber"; "barbara"; "banks"; "bank"; "bandit"; "bananas";
"banana"; "ball"; "bailey"; "badass"; "backup"; "BACKUP"; "backdoor";
"bacchus"; "baby"; "babe"; "azure"; "aztecs"; "authoriz"; "attack";
"atom"; "atmosphere"; "atmosphe"; "athena"; "asshole"; "asm"; "asian";
"asdfgh"; "asdf"; "asd"; "artist"; "arthur"; "arrow"; "army";
"arlene"; "ariadne"; "aria"; "april"; "apollo13"; "anything";
"anvils"; "anthropogenic"; "anthropo"; "anthrax"; "answer";
"anonymou"; "anon"; "annette"; "anne"; "anna"; "ann"; "anita";
"animals"; "animal"; "angie"; "angerine"; "angela"; "anfo"; "andy";
"andromache"; "andromac"; "android"; "andrea"; "anchor"; "anarchy";
"anarchis"; "analog"; "anal"; "amy"; "amorphous"; "amorphou";
"america"; "amber"; "amanda"; "amadeus"; "ama"; "alphabet"; "alpha";
"allow"; "allison"; "alison"; "alisa"; "alicia"; "alice"; "aliases";
"alias"; "algebra"; "alf"; "Alexander"; "alexande"; "Alex"; "alex";
"alert"; "albert"; "albatross"; "albatros"; "albany"; "alaska";
"Al3x"; "airplane"; "aids"; "afro"; "aerobics"; "adult"; "adrianna";
"adrian"; "Administrator"; "ADMINISTRATOR"; "administrator";
"Administrateur"; "Administrador"; "admin123"; "Admin"; "ADMIN";
"admin"; "adm"; "adam"; "ada"; "action"; "accounts"; "accounting";
"account"; "access"; "ACCESS"; "accept"; "academic"; "academia";
"abcd"; "abc123"; "abc"; "aaa"; "88888888"; "654321"; "54321"; "2600";
"2003"; "2002"; "123qwe"; "123asd"; "123abc"; "1234qwer"; "123467890";
"12346789"; "1234678"; "123467"; "12346"; "123456789"; "12345678";
"1234567"; "123456"; "12345"; "1234"; "123123"; "123"; "121212";
"121"; "11111111"; "111111"; "111"; "110"; "0wned"; "0wn3d"; "007";
"00000000"; "000000"; "00000"; "0000"; "000"; "!@; $%^&*"; "!@; $%^&";
"!@; $%^"; "!@; $%"; "!@; $"
Exploit:
It makes use of the following Exploit:
–
MS04-011
(LSASS Vulnerability)
IRC
To deliver system information and to provide remote control it connects to the following IRC Server:
Server: 82.33.136.**********
Port: 6667
Channel: #temple
Nickname: [WTF]-[IZIT]
%random character string%
Password: boss
– This malware has the ability to collect and send information such as:
• CPU speed
• Free disk space
• Free memory
• Malware uptime
• Platform ID
– Furthermore it has the ability to perform actions such as:
• connect to IRC server
• Launch DDoS SYN flood
• Disable network shares
• Download file
• Execute file
• Join IRC channel
• Leave IRC channel
• Perform port redirection
• Send emails
• Terminate malware
• Upload file
Backdoor
The following port is opened:
–
%SYSDIR%
\NAVARSVC.exe on TCP port 113
Stealing
It tries to steal the following information:
– The following CD keys:
• Project IGI 2
• Command & Conquer Generals
• FIFA 2003
• Need For Speed: Hot Pursuit 2
• Soldier Of Fortune 2
• NeverWinter Nights
• Rainbow Six III RavenShield
• Battlefield 1942
• Counter-Strike
• Unreal Tournament 2003
• Half-Life
Miscellaneous
Mutex:
It creates the following Mutex:
• itunesv1.3
File details
Programming language:
The malware program was written in MS Visual C++.
Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packers:
• Morphine
• UPX
See a brief description
here
.
Description inserted by Sergiu Oprea on Fri, 19 Aug 2005 10:31 (GMT+1)
Description updated by Sergiu Oprea on Tue, 30 Aug 2005 12:35 (GMT+1)
»
About Malware
»
About Phishing
»
Viruses In the Wild
« back
Print this page
TR/Crypt.CFI.Gen
Worm/Kidala.G
W32/Elkern.C
Worm/Mytob.BF
Worm/Mytob.AT
Ebay 91
BDS/Frauder.bu
DR/Autoit.I.1
TR/Spy.ZBot.DFR
TR/VB.aei
Get comfortable up to the minute info from Avira as
Detects and removes the following malware and its variants:
Worm/Sober.J
Worm/Sober.P
Worm/Sober.Y
W32/Stanit.A
Worm/NetSky.AA
Worm/NetSky.B.1
Worm/NetSky.C
Worm/Netsky.D.Dam
Worm/NetSky.P
Worm/NetSky.X
Worm/Mytob.IN.2
Worm/Mytob.KS
TR/Spy.Banker.AATZ
TR/Spy.Banker.AATZ.1
TR/Spy.Banker.AATZ.2
TR/Spy.Banker.AATZ.3
Download here
Click
here
to get the panel...
© 2008 Avira GmbH
Copyright
Privacy
Sitemap
Feedback
Imprint
FAQ
Contact
Virus Info Worm/SdBot.55808.28
Print this page
.gif)
