Worm/Sdbot.80896 - Worm

See also

Summary

Full description

Statistics

Virus:	Worm/Sdbot.80896
Date discovered:	26/08/2005
Type:	Worm
In the wild:	No
Reported Infections:	Low
Distribution Potential:	Medium
Damage Potential:	Medium
Static file:	Yes
File size:	80.896 Bytes
MD5 checksum:	8e3d9a00158895be246046568332045a
VDF version:	6.31.1.158

General Method of propagation:
   • Local network

Aliases:
   • Symantec: W32.Spybot.Worm
   • Kaspersky: Trojan.Win32.Crypt.d
   • TrendMicro: WORM_SDBOT.CBS
   • VirusBuster: Worm.SdBot.BEH
   • Eset: Win32/Rbot

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows 2000
   • Windows XP

Side effects:
   • Lowers security settings
   • Registry modification
   • Makes use of software vulnerability
   • Steals information
   • Third party control

Registry The following registry keys are added in order to run the processes after reboot:

– HKLM\Software\Microsoft\Windows\CurrentVersion\Run
   • "li start up"="%executed file%"

– HKCU\Software\Microsoft\Windows\CurrentVersion\Run
   • "li start up"="%executed file%"

The following registry keys are added in order to load the services after reboot:

– HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
   • "li start up"="%executed file%"

– HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
   • "li start up"="%executed file%

The following registry keys are added:

– HKLM\Software\Microsoft\OLE
   • "li start up"="%executed file%"

– HKLM\SYSTEM\CurrentControlSet\Control\Lsa
   • "li start up"="%executed file%"

– HKCU\Software\Microsoft\OLE
   • "li start up"="%executed file%"

– HKCU\SYSTEM\CurrentControlSet\Control\Lsa
   • "li start up"="%executed file%"

The following registry key is changed:

– HKLM\Software\Microsoft\OLE
   Old value:
   • "EnableDCOM"="%user defined settings%"
   New value:
   • "EnableDCOM"="Y"

Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.

It drops copies of itself to the following network shares:
   • "ipc$"
   • "print$"
   • "admin$"
   • "Admin$"

It uses the following login information in order to gain access to the remote machine:

–Cached usernames and passwords.

– The following list of usernames:
   • Admin; Administrador; administrador; administrat; Administrateur;
      Administrator; Coordinatore; Guest; main; master; owner; root; server;
      student; supervisor; system; teacher; user; windows

– The following list of passwords:
   • 7; 123; 777; 2600; abc; access; computer; Login; oem; oeminstall;
      OWNER; pass; password; pwd; qwerty; superuser; win2000; win2k; winnt;
      winxp; xxx

Exploit:
It makes use of the following Exploit:
– MS04-011 (LSASS Vulnerability)

IP address generation:
It creates random IP addresses while it keeps the first two octets from its own address. Afterwards it tries to establish a connection with the created addresses.

Infection process:
Creates an FTP script on the compromised machine in order to download the malware to the remote location.

Slow down:
– Depending on your bandwidth you might notice a fall in your network speed. As the network activity for this malware is medium you might not take notice of this if you have a broadband connection.
– You might also notice a slow down due to the multiple network threads created.

IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: 83.133.125.**********
Port: 24300
Channel: #fftp
Nickname: [XP]|%random characters%
Password: abcnet

– This malware has the ability to collect and send information such as:
    • CPU speed
    • Current user
    • Free disk space
    • Free memory
    • Malware uptime
    • Information about the network
    • Information about running processes
    • Size of memory
    • System directory
    • Username

– Furthermore it has the ability to perform actions such as:
    • connect to IRC server
    • disconnect from IRC server
    • Download file
    • Edit registry
    • Enable DCOM
    • Execute file
    • Join IRC channel
    • Kill process
    • Open remote shell
    • Perform DDoS attack
    • Perform network scan
    • Shut down system
    • Start spreading routine
    • Terminate process
    • Updates itself

Hosts The host file is modified as explained:

– In this case existing entries are deleted.

– Access to the following domains are redirected to other destinations:
   • avp.com; ca.com; customer.symantec.com; dispatch.mcafee.com;
      download.mcafee.com; f-secure.com; kaspersky.com; kaspersky-labs.com;
      liveupdate.symantec.com; liveupdate.symantecliveupdate.com;
      mast.mcafee.com; mcafee.com; my-etrust.com; nai.com;
      networkassociates.com; rads.mcafee.com; secure.nai.com;
      securityresponse.symantec.com; sophos.com; symantec.com;
      trendmicro.com; update.symantec.com; updates.symantec.com;
      us.mcafee.com; viruslist.com; www.avp.com; www.ca.com;
      www.f-secure.com; www.grisoft.com; www.jayloden.com;
      www.kaspersky.com; www.mcafee.com; www.my-etrust.com; www.nai.com;
      www.networkassociates.com; www.sophos.com; www.symantec.com;
      www.trendmicro.com; www.viruslist.com

File details Programming language:
The malware program was written in MS Visual C++.

See a brief description here.

Description inserted by Irina Boldea on Fri, 26 Aug 2005 18:43 (GMT+1)
Description updated by Irina Boldea on Tue, 30 Aug 2005 17:02 (GMT+1)

» About Malware
» About Phishing
» Viruses In the Wild

« back