Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:Worm/SdBot.571392.1
Date discovered:20/02/2008
Type:Worm
In the wild:Yes
Reported Infections:Low
Distribution Potential:Medium to high
Damage Potential:Medium
Static file:Yes
File size:571.392 Bytes
MD5 checksum:672ebe523a7ebd0A884b5cb7d7dd3888
IVDF version:7.00.02.168 - Wednesday, February 20, 2008

 General Methods of propagation:
   • Local network
   • Peer to Peer


Aliases:
   •  Mcafee: W32/Sdbot.worm
   •  Kaspersky: Backdoor.Win32.SdBot.cqd
   •  F-Secure: Backdoor.Win32.SdBot.cqd
   •  Sophos: W32/Sdbot-DKD
   •  Grisoft: IRC/BackDoor.SdBot3.YIN
   •  Eset: IRC/SdBot
   •  Bitdefender: Backdoor.SDBot.DFPJ


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Disable security applications
   • Lowers security settings
   • Registry modification
   • Makes use of software vulnerability
   • Steals information
   • Third party control

 Files It copies itself to the following location:
   • %WINDIR%\svchost.exe



It deletes the initially executed copy of itself.

 Registry The following registry keys are added in order to load the service after reboot:

– [HKLM\SYSTEM\CurrentControlSet\Services\
   Generic Host Process for Win-32 Service]
   • Type = 110
   • Start = 2
   • ErrorControl = 0
   • ImagePath = %WINDIR%\svchost.exe
   • DisplayName = Generic Host Process for Win-32 Service
   • ObjectName = LocalSystem
   • FailureActions = %hex values%
   • Description = Generic Host Process for Win-32 Service

– [HKLM\SYSTEM\CurrentControlSet\Services\
   Generic Host Process for Win-32 Service\Security]
   • Security = %hex values%



The following registry keys are changed:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions]
   New value:
   • %random character string% = %executed file%

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
   Old value:
   • shell = explorer.exe
   New value:
   • shell = explorer.exe %WINDIR%\svchost.exe

– [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
   New value:
   • sfcdisable = 1113997
   • sfcscan = 0

– [HKLM\Software\Microsoft\Security Center]
   New value:
   • antivirusdisablenotify = 1
   • antivirusoverride = 1
   • firewalldisablenotify = 1
   • firewalloverride = 1
   • updatesdisablenotify = 1

– [HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate]
   New value:
   • donotallowxpsp2 = 1

– [HKLM\Software\Symantec\LiveUpdate Admin]
   New value:
   • enterprise security manager = 1
   • ghost = 1
   • intruder alert = 1
   • liveadvisor = 1
   • liveupdate = 1
   • netrecon = 1
   • norton antivirus product updates = 1
   • norton antivirus virus definitions = 1
   • norton cleansweep = 1
   • norton commander = 1
   • norton internet security = 1
   • norton Systemworks = 1
   • norton utilities = 1
   • pc handyman and healthypc = 1
   • pcanywhere = 1
   • rescue disk = 1
   • symantec desktop firewall = 1
   • symantec gateway security ids = 1
   • symevent = 1

– [HKLM\System\CurrentControlSet\Services\wscsvc]
   New value:
   • start = 4

– [HKLM\Software\Microsoft\OLE]
   New value:
   • enabledcom = 78

– [HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\
   Auto Update]
   New value:
   • auoptions = 1

– [HKLM\System\CurrentControlSet\Control\ServiceCurrent]
   New value:
   • @ = 9

– [HKLM\System\CurrentControlSet\Control]
   New value:
   • waittokillservicetimeout = 7000

– [HKLM\System\CurrentControlSet\Control\LSA]
   New value:
   • restrictanonymous = 1

– [HKLM\System\CurrentControlSet\Services\LanManServer\Parameters]
   New value:
   • autoshareserver = 0
   • autosharewks = 0

– [HKLM\System\CurrentControlSet\Services\LanManWorkstation\
   Parameters]
   New value:
   • autoshareserver = 0
   • autosharewks = 0

– [HKLM\System\CurrentControlSet\Services\Messenger]
   New value:
   • start = 4

– [HKLM\System\CurrentControlSet\Services\RemoteRegistry]
   New value:
   • start = 4

– [HKLM\System\CurrentControlSet\Services\tlntsvr]
   New value:
   • start = 4

Deactivate Windows Firewall:
– [HKLM\Software\Policies\Microsoft\WindowsFirewall\DomainProfile]
   New value:
   • enablefirewall = 0

– [HKLM\Software\Policies\Microsoft\WindowsFirewall\StandardProfile]
   New value:
   • enablefirewall = 0

Disable Regedit and Task Manager:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
   New value:
   • disableregistrytools = 1
   • disabletaskmgr = 1

 P2P In order to infect other systems in the Peer to Peer network community the following action is performed:  


   It retrieves the shared folder by querying the following registry key:
   • SOFTWARE\Kazaa\LocalContent\DownloadDir


 Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.


Exploit:
– MS02-061 (Elevation of Privilege in SQL Server Web)
– MS04-007 (ASN.1 Vulnerability)
– MS06-040 (Vulnerability in Server Service)


Infection process:
Creates an FTP script on the compromised machine in order to download the malware to the remote location.

 IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: www.worldcasino.to
Port: 80
Nickname: [P00|USA|%number%]



– This malware has the ability to collect and send information such as:
    • Cached passwords
    • CPU speed
    • Current user
    • Details about drivers
    • Free disk space
    • Free memory
    • Malware uptime
    • Information about running processes
    • Size of memory
    • Username
    • Information about the Windows operating system


– Furthermore it has the ability to perform actions such as:
    • Launch DDoS ICMP flood
    • Launch DDoS SYN flood
    • Launch DDoS UDP flood
    • Disable network shares
    • Download file
    • Edit registry
    • Enable network shares
    • Execute file
    • Join IRC channel
    • Kill process
    • Leave IRC channel
    • Open remote shell
    • Perform DDoS attack
    • Perform network scan
    • Start spreading routine
    • Terminate malware
    • Terminate process

 Backdoor Contact server:
One of the following:
   • http://www2.dokidoki.ne.jp/tomocrus/cgi-bin/check/**********
   • http://www.kinchan.net/cgi-bin/**********
   • http://www.pistarnow.is.net.pl/**********
   • http://cgi.break.power.ne.jp/check/**********
   • http://www.proxy4free.info/cgi-bin/**********
   • http://69.59.137.236/cgi/**********
   • http://tutanchamon.ovh.org/**********
   • http://www.proxy.us.pl/**********
   • http://test.anonproxies.com/**********
   • http://www.nassc.com/**********
   • http://www.littleworld.pe.kr/**********
   • http://www.anonymitytest.com/cgi-bin/**********
   • http://tn0828-web.hp.infoseek.co.jp/cgi-bin/**********

As a result it may send information and remote control could be provided.

 Stealing It tries to steal the following information:
– Recorded passwords used by the AutoComplete function
– Email account information obtained from the registry key: HKCU\Software\Microsoft\Internet Account Manager\Accounts

 Miscellaneous  Checks for an internet connection by contacting the following web site:
   • www.google.com


Anti debugging
It checks if one of the following programs is running:
   • Softice
   • Wine
   • FileMon
   • Regmon

If successful, it terminates immediately.
If this was successful it does not create any files.


File patching:
In order to disable Windows File Protection (WFP) it has the capability to modify the file sfc_os.dll at offset 0000E2B8. WFP is intended to avoid some of the common problems that cause DLL inconsistencies.

 File details Programming language:
The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

설명 삽입자 Andrei Gherman   2008년 6월 16일 월요일
설명 업데이트 Robert Harja Iliescu   2008년 7월 24일 목요일

뒤로 . . . .
https:// 이 창은 보안을 위해 암호화되었습니다.