Content

DDoS-SQLhuc

Type
Malware
SubType
Denial Of Svc
Discovery Date
01/28/2003
Length
753,664 bytes
272,384 bytes (Aspack)
Minimum DAT
4245 (01/29/2003)
Updated DAT
4655 (12/21/2005)
Minimum Engine
5.1.00
Description Added
02/04/2003
Description Modified
02/04/2003 8:51 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This is an IRC bot intended for use in distributed Denial of Service (DDoS) attacks. It is intended to work in conjunction with another application (named SQLEXPLOIT.EXE) which exploits a UDP buffer overflow exploit in unpatched SQL servers. SQLEXPLOIT.EXE is detected as Exploit-SQLhuc.

AVERT have received a few samples of this bot from the field - each time with the filename DIRECTX.EXE. Both packed (Aspacked) and unpacked files have been received. A latter variant requires the 4246 DATs for detection.

When the bot is executed on the victim machine, the following Registry key is added:

HKEY_LOCAL_MACHINE\Software\ColdVision
"update" = 00 00 00 00

The bot also copies itself to the %WinDir%\System32 directory as DIRECTX.EXE. To hook system startup, the following Registry key is added:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"directx.exe" = %filepath%

where %filepath% is full path of the executed file. (This key was not added on Win9x machines in testing.)

The bot opens port 21 (FTP) on the victim machine. This is used for transfering the SQLEXPLOIT.EXE component via a batch file (GO.BAT detected as DDoS-SQLhuc.bat with the 4247 DATs) and an FTP script.

The bot attempts to connect to port 6667 of a remote IRC server and join an IRC channel. Once connected various commands are accepted by the bot, including :

  • killbot
  • who
  • info
  • attacks on/off
  • listtasks
  • killtask
  • winver
  • uptime
  • redirect

Symptoms

  • existence of the ColdVision Registry key, or startup hook key detailed above
  • existence of C:\SQLEXPLOIT.EXE
  • outgoing TCP/IP traffic destined for port 6667 on remote IRC servers

Method of Infection

Once the bot installs on the victim machine, it attempt to join an IRC channel and await remote commands.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

Characteristics

Characteristics -

This is an IRC bot intended for use in distributed Denial of Service (DDoS) attacks. It is intended to work in conjunction with another application (named SQLEXPLOIT.EXE) which exploits a UDP buffer overflow exploit in unpatched SQL servers. SQLEXPLOIT.EXE is detected as Exploit-SQLhuc.

AVERT have received a few samples of this bot from the field - each time with the filename DIRECTX.EXE. Both packed (Aspacked) and unpacked files have been received. A latter variant requires the 4246 DATs for detection.

When the bot is executed on the victim machine, the following Registry key is added:

HKEY_LOCAL_MACHINE\Software\ColdVision
"update" = 00 00 00 00

The bot also copies itself to the %WinDir%\System32 directory as DIRECTX.EXE. To hook system startup, the following Registry key is added:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"directx.exe" = %filepath%

where %filepath% is full path of the executed file. (This key was not added on Win9x machines in testing.)

The bot opens port 21 (FTP) on the victim machine. This is used for transfering the SQLEXPLOIT.EXE component via a batch file (GO.BAT detected as DDoS-SQLhuc.bat with the 4247 DATs) and an FTP script.

The bot attempts to connect to port 6667 of a remote IRC server and join an IRC channel. Once connected various commands are accepted by the bot, including :

  • killbot
  • who
  • info
  • attacks on/off
  • listtasks
  • killtask
  • winver
  • uptime
  • redirect

Symptoms

Symptoms -

  • existence of the ColdVision Registry key, or startup hook key detailed above
  • existence of C:\SQLEXPLOIT.EXE
  • outgoing TCP/IP traffic destined for port 6667 on remote IRC servers

Method of Infection

Method of Infection -

Once the bot installs on the victim machine, it attempt to join an IRC channel and await remote commands.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A