English
Deutsch
Francais
Español
Italian
Home
Virus Info
Worm/SdBot.86236
Search
Home
Support
Solutions
Products
Downloads
Virus Info
Statistics
Phishing Worldmap
VDF History
Virus Science
Submit Sample
Security News
Viruses In the Wild
Company
Press
Partners
Newsletter
Worm/SdBot.86236 - Worm
See also
Summary
Full description
Statistics
How would you rate this information?
Worthless
Excellent
Virus:
Worm/SdBot.86236
Date discovered:
05/09/2005
Type:
Worm
In the wild:
No
Reported Infections:
Low
Distribution Potential:
Medium
Damage Potential:
Medium
Static file:
Yes
File size:
86.236 Bytes
MD5 checksum:
47ebaf7935e8986394abc64a295221a8
VDF version:
6.31.1.210
General
Method of propagation:
• Local network
Aliases:
• Symantec: W32.Spybot.Worm
• TrendMicro: BKDR_SDBOT.MY
Platforms / OS:
• Windows 95
• Windows 98
• Windows 98 SE
• Windows NT
• Windows ME
• Windows 2000
• Windows XP
• Windows 2003
Side effects:
• Registry modification
• Third party control
Files
It copies itself to the following location:
•
%SYSDIR%
\WinV.exe
It deletes the initially executed copy of itself.
Registry
The following registry keys are added in order to run the processes after reboot:
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
• "Windows Update 64"="WinV.exe"
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
• Windows Update 64"="WinV.exe"
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
• Windows Update 64"="WinV.exe"
– [HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
• Windows Update 64"="WinV.exe"
The following registry keys are added in order to load the service after reboot:
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
• Windows Update 64"="WinV.exe"
Network Infection
In order to ensure its propagation the malware attemps to connect to other machines as described below.
Exploit:
It makes use of the following Exploit:
–
MS04-007
(ASN.1 Vulnerability)
–
MS04-011
(LSASS Vulnerability)
Infection process:
Creates an FTP script on the compromised machine in order to download the malware to the remote location.
IRC
To deliver system information and to provide remote control it connects to the following IRC Servers:
Server: **********.afraid.org
Port: 6667
Channel: #pwn
Nickname: GoeRoe-
%seven-digit random character string%
Password: pwn
Server: **********.dutchirc.nl
Port: 6667
Channel: #pwn
Nickname: GoeRoe-
%seven-digit random character string%
Password: pwn
– This malware has the ability to collect and send information such as:
• Collected Email addresses
• CPU speed
• Free disk space
• Free memory
• Malware uptime
• Information about running processes
• Size of memory
– Furthermore it has the ability to perform actions such as:
• Launch DDoS ICMP flood
• Launch DDoS SYN flood
• Launch DDoS TCP flood
• Launch DDoS UDP flood
• Disable network shares
• Download file
• Edit registry
• Execute file
• Join IRC channel
• Kill process
• Perform DDoS attack
• Perform network scan
• Perform port redirection
• Register a service
• Restart system
• Send emails
• Shut down system
• Updates itself
• Upload file
• Visit a website
Stealing
It tries to steal the following information:
– Windows Product ID
– The following CD keys:
• Unreal Tournament 2004; Unreal Tournament 2003; Soldier Of Fortune 2;
Soldiers Of Anarchy; Shogun: Total War: Warlord Edition; Ravenshield;
Neverwinter Nights; Need For Speed: Underground; Need For Speed: Hot
Pursuit 2; NHL 2003; NHL 2002; Nascar Racing 2003; Nascar Racing 2002;
Medal of Honor: Allied Assault: Spearhead; Medal of Honor: Allied
Assault: Breakthrough; Medal of Honor: Allied Assault; James Bond 007:
Nightfire; Industry Giant 2; IGI2: Covert Strike; Hidden and Dangerous
2; Half-Life; Gunman Chronicles; Global Operations; Freedom Force;
FIFA 2003; FIFA 2002; Counter-Strike; Command and Conquer: Tiberian
Sun; Command and Conquer: Red Alert2; Command and Conquer: Generals:
Zero Hour; Command and Conquer: Generals; Black and White; Battlefield
1942: Vietnam; Battlefield 1942: The Road To Rome; Battlefield 1942:
Secret Weapons Of WWII; Battlefield 1942
– Passwords from the following programs:
• Yahoo Messenger
• AIM
• MSN Messenger
– A logging routine is started after the following website is visited, which contains one of the following substrings in the URL:
• paypal.com
• paypal
– It captures:
• Login information
See a brief description
here
.
Description inserted by Razvan Olteanu on Mon, 12 Sep 2005 11:05 (GMT+1)
Description updated by Razvan Olteanu on Wed, 14 Sep 2005 10:36 (GMT+1)
»
About Malware
»
About Phishing
»
Viruses In the Wild
« back
Print this page
Worm/Bagle.FJ
W32/Elkern.C
TR/Crypt.CFI.Gen
Worm/Mytob.U
Worm/Mytob.CR
DR/Mirar.AJ
EXP/Flash.1275
CC/00233
HEUR-DBLEXT/Crypted
HIDDENEXT/Crypted
Get comfortable up to the minute info from Avira as
Detects and removes the following malware and its variants:
Worm/Sober.J
Worm/Sober.P
Worm/Sober.Y
W32/Stanit.A
Worm/NetSky.AA
Worm/NetSky.B.1
Worm/NetSky.C
Worm/Netsky.D.Dam
Worm/NetSky.P
Worm/NetSky.X
Worm/Mytob.IN.2
Worm/Mytob.KS
TR/Spy.Banker.AATZ
TR/Spy.Banker.AATZ.1
TR/Spy.Banker.AATZ.2
TR/Spy.Banker.AATZ.3
Download here
Click
here
to get the panel...
© 2008 Avira GmbH
Copyright
Privacy
Sitemap
Feedback
Imprint
FAQ
Contact
Virus Info Worm/SdBot.86236
Print this page
.gif)
