Worm/SdBot.abf.4 - Worm

See also

Summary

Full description

Statistics

Virus:	Worm/SdBot.abf.4
Date discovered:	12/09/2005
Type:	Worm
In the wild:	No
Reported Infections:	Low
Distribution Potential:	Medium
Damage Potential:	Medium
Static file:	Yes
File size:	36.747 Bytes
MD5 checksum:	e07040eb929d55f766a27501a96524a1
VDF version:	6.32.0.7

General Method of propagation:
   • Local network

Alias:
   • VirusBuster: Worm.SdBot.BGQ

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Drops a malicious file
   • Registry modification
   • Makes use of software vulnerability
   • Steals information
   • Third party control

Files It copies itself to the following location:
• %SYSDIR%\T%five-digit random character string%.exe

Registry The following registry key is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
• "Jxmnefer"="%SYSDIR%\T%five-digit random character string%.exe"

Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.

It drops copies of itself to the following network shares:
   • ADMIN$\system32\
   • C$\winnt\system32\
   • IPC$\
   • C$\shared\
   • C$\
   • C$\Documents and Settings\All Users\Documents\
   • C$\windows\system32\

It uses the following login information in order to gain access to the remote machine:

– The following list of usernames:
   • "administrator"
   • "administrateur"
   • "administrador"
   • "admin"

– The following list of passwords:
   • "passwd"; "pass"; "pwd"; "pass1234"; "zxc123"; "qweasd"; "qazwsx";
      "qwe123"; "123qwe"; "123qaz"; "zxcvbnm"; "qweasdzxc"; "666"; "ctx";
      "nokia"; "lan"; "internet"; "freddy"; "glen"; "turnip"; "afro";
      "user1"; "student"; "student1"; "teacher"; "staff"; "intranet";
      "bill"; "fred"; "freddy"; "glen"; "billgates"; "billgate"; "fuckyou";
      "motdepass"; "zaq123"; "zaqxsw"; "123qwe123"; "201"; "202"; "203";
      "204"; "205"; "206"; "207"; "209"; "210"; "211"; "212"; "213"; "214";
      "216"; "217"; "218"; "219"; "220"; "221"; "222"

Exploit:
It makes use of the following Exploit:
– MS04-011 (LSASS Vulnerability)

IP address generation:
It creates random IP addresses and tries to establish a connection with them.

IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: get.**********.info
Port: 5540
Channel: #ven
Nickname: T%five-digit random character string%

– Furthermore it has the ability to perform actions such as:
    • connect to IRC server
    • disconnect from IRC server
    • Join IRC channel
    • Leave IRC channel
    • Perform network scan
    • Start spreading routine

Stealing It tries to steal the following information:

– The following CD key:
• Battlefield 2

File details Programming language:
The malware program was written in MS Visual C++.
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
• MEW 11

See a brief description here.

Description inserted by Catalin Jora on Mon, 12 Sep 2005 16:10 (GMT+1)
Description updated by Catalin Jora on Wed, 14 Sep 2005 12:38 (GMT+1)

» About Malware
» About Phishing
» Viruses In the Wild

« back