Content

W32/Sdbot.worm

Type
Virus
SubType
Internet Worm
Discovery Date
04/10/2003
Length
Varies
Minimum DAT
4258 (04/16/2003)
Updated DAT
5663 (07/01/2009)
Minimum Engine
5.1.00
Description Added
06/30/2003
Description Modified
03/24/2009 5:36 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

-- Update March 24, 2009 --

A new variant was seen today (detected as W32/Sdbot.worm.gen.t). This variant drops the following file in the c:\windows\system folder

  • msddll.exe

It creates services that point to this file. The following are the registry keys.

  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msddll
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msddll

The worm attempts to spread by scanning the subnet over port 445 looking for vulnerable hosts.

Network connections to the following domain was observed:

  • ak3jad.com

-- Update February 2, 2005 --
These SDBot names vary considerably, but regularly try to look similar to other legitimate Windows executable names, so that a user viewing the Task Manager might assume that the names listed are valid.

Some example filenames (but not all) seen by AVERT include:

amdpatchB.exe
cmst32.exe
hcgnwlmqge.exe

hjkds.exe
hlcbome.exe
iexplore.exe

jxsrwb.exe

kveuto.exe
ms.exe
msgfix.exe
msgfix1.exe
msmon32.exe
msmon32b.exe
msnmssgs.exe
mstasks.exe
nav32.exe

ns32.exe
rssdd.exe
spool.exe
spoolserv.exe
spoolsvc.exe
svchosst.exe
svcnet.exe
svhosint32.exe
syntwin32.exe

system.exe
system03.exe
Systmesy.exe
taskmngr.exe
unreal.exe
wc.exe
WindowsSys32.exe
WINL0G0N.exe
winudap.exe
winumc.exe
winupdate32.exe
wsndlg32.exe
wuamagrd.exe
wuamgrd.exe
wuamgrd2.exe
wuamgrdk.exe
wvsvc.exe

-- Update August 11, 2004 --
There are now over 4000 variants of this threat, many of which were proactively detected, and this number continues to grow at a rapid rate. 

AVERT is constantly enhancing generic detection for this family. To ensure you have appropriate protection please do use the latest DATs, latest engine and do not disable scanning of packed executable files.

-- Update April 6, 2004 --
There are now over 700 variants of this trojan-turned worm.  Multiple new variants are discovered each week.  They vary in file size and name.

This detection is for worms that are based on the IRC-Sdbot trojan code. The source code for the IRC-Sdbot trojan was published on the Internet some time ago, and a number of worms are based on the same code. The following detections exist for such worms:

  • W32/Sdbot.worm
  • W32/Sdbot.worm.gen
  • W32/Sdbot.worm.gen.b

Due to their origins, such worms are often proactively detected as IRC-Sdbot with the 4258+ DAT files. Users are recommended to ensure the scanning of compressed files is enabled to maximise proactive detection.

These worms typically spread via network shares and create a remote access point for attackers to exploit.

Some variants can take advantage of the following vulnerabilites:

  • DCOM RPC vulnerability (MS03-026)
  • WEBDAV vulnerability  (MS03-007)
  • LSASS vulnerability (MS04-011)
  • ASN.1 vulnerability (MS04-007)
  • Workstation Service vulnerability (MS03-049)
  • PNP vulnerability (MS05-039)
  • Imail IMAPD LOGIN username vulnerability
  • Cisco IOS HTTP Authorization Vulnerability

    There are some variants which use a combination of the above vulnerabilites during their attack on the system.

    The description below is specific to one such worm, but the characterisitics are typical for many other variants. (Exact filename and Registry key names may change of course.)

    When run, it copies itself to the WINDOWS SYSTEM (%SysDir% ) directory and creates two registry run keys to load the worm at system startup:

    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
      CurrentVersion\Run "Services Host" = scchost.exe
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
      CurrentVersion\RunServices "Services Host" = scchost.exe

    Network Propagation

    The worm's file share propagation relies on target systems being accessible for one of two reasons:
    1. Poor security on target systems
    2. The credentials of the user logged on to an infected system are sufficient to access other systems on the network

    The worm scans random IP subnets for machines present on the network. Once a system is found, the worm tries to connect to the 'C$' and/or 'C' shares on that machine. The following accounts are used for the connection (with no passwords):

    • Administrator
    • Owner
    • Guest

    NOTE: The virus assumes the privileges of the currently authenticated user. If a blank password is insufficient on the target system, the current credentials could be sufficient to gain access on a remote system.

    Some variants also try additional administrative shares such as D$, E$, IPC$, Print$ and Admin$, and contain within them a list of common usernames/passwords to use to gain access to password-protected shares.

    If successful, the worm will copy itself onto that share in one of the following locations (i.e. the Windows Startup folder):

    • C:\WINNT\Profiles\All Users\Start Menu\Programs\Startup
    • C:\WINDOWS\Start Menu\Programs\Startup
    • C:\Documents and Settings\All Users\Start Menu\Programs\Startup
    • \WINNT\Profiles\All Users\Start Menu\Programs\Startup
    • \WINDOWS\Start Menu\Programs\Startup
    • \Documents and Settings\All Users\Start Menu\Programs\Startup
    Finally, the worm attempts to execute the copied file by calling the NetScheduleJobAdd function.

    Remote Access Trojan

    The worm connects to an IRC channel and server and waits for instructions. A remote attacker can use the trojan to perform various tasks:
    • Gather system information (CPU, Driver Space, RAM, OS Version, User name, Computer name, IP Address)
    • Run IRC commands (Join channels, send messages)
    • SYN Flood others
    • Kill processes
    • Download files
    • Execute files

    Symptoms

    The worm disables default admin shares (such as C$, D$, and Admin$) on WinNT/2K/XP systems by setting two registry key values:

    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
      lanmanserver\parameters "AutoShareServer" = DWORD:0
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
      lanmanserver\parameters "AutoShareWks" = DWORD:0
    A registry key is set to disable the enumeration of shares during a null sesssion:
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\
      Lsa "restrictanonymous" = DWORD:1
    An indication of infection is outbound IP traffic to the server IRC.DOTBLUE.ORG on TCP port 6667

    Method of Infection

    The exact method of propagation will vary between variants. However, the following characteristics are typical:

    Share Propagation

    The worm propagates via accessible or poorly-secured network shares, and some variants are intended to take advantage of high profile exploits:

    When it attempts to spread through default administrative shares, for example:

    • PRINT$
    • E$
    • D$
    • C$
    • ADMIN$
    • IPC$

    Some variants also carry a list of poor username/password combinations to gain access to these shares.

    Weak Passwords and Configurations

    Several variants are known to probe MS SQL servers for weak administrator passwords and configurations. When successful, the virus could execute remote system commands via the SQL server access.

    Removal

    All Users:
    Use specified engine and DAT files for detection and removal of virus and trojan files related to this threat.

    Many share jumping viruses rely on weak usernames/passwords. They attempt to gain administrative rights by using a dictionary-style attack, trying usernames like "admin" or "administrator" and passwords like "admin" or "123456". Beyond such weak usernames/passwords many can use the credentials of the local user. Meaning that if a super-administrator, or domain-admin logs on to an infected system or becomes infected, the virus will have access to all systems within its "reach". Such worms often rely on the presence of default, admin shares. It is a good idea to remove the administrative shares (C$, IPC$, ADMIN$) on all systems to prevent such spreading. A simple batch file containing the following commands may be of help, especially when run from a logon script, or placed in the startup folder.
    • net share c$ /delete
    • net share d$ /delete
    • net share e$ /delete
    • net share ipc$ /delete
    • net share admin$ /delete

    Additional Windows ME/XP removal considerations

    Variants

    Variants

      N/A

    All Information

    Overview -

    This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

    Aliases

    • W32.HLLW.Donk (Symantec)
    • W32/Sdbot.worm.gen
    • W32/Sdbot.worm.gen.b

    Characteristics

    Characteristics -

    -- Update March 24, 2009 --

    A new variant was seen today (detected as W32/Sdbot.worm.gen.t). This variant drops the following file in the c:\windows\system folder

    • msddll.exe

    It creates services that point to this file. The following are the registry keys.

    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msddll
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msddll

    The worm attempts to spread by scanning the subnet over port 445 looking for vulnerable hosts.

    Network connections to the following domain was observed:

    • ak3jad.com

    -- Update February 2, 2005 --
    These SDBot names vary considerably, but regularly try to look similar to other legitimate Windows executable names, so that a user viewing the Task Manager might assume that the names listed are valid.

    Some example filenames (but not all) seen by AVERT include:

    amdpatchB.exe
    cmst32.exe
    hcgnwlmqge.exe

    hjkds.exe
    hlcbome.exe
    iexplore.exe

    jxsrwb.exe

    kveuto.exe
    ms.exe
    msgfix.exe
    msgfix1.exe
    msmon32.exe
    msmon32b.exe
    msnmssgs.exe
    mstasks.exe
    nav32.exe

    ns32.exe
    rssdd.exe
    spool.exe
    spoolserv.exe
    spoolsvc.exe
    svchosst.exe
    svcnet.exe
    svhosint32.exe
    syntwin32.exe

    system.exe
    system03.exe
    Systmesy.exe
    taskmngr.exe
    unreal.exe
    wc.exe
    WindowsSys32.exe
    WINL0G0N.exe
    winudap.exe
    winumc.exe
    winupdate32.exe
    wsndlg32.exe
    wuamagrd.exe
    wuamgrd.exe
    wuamgrd2.exe
    wuamgrdk.exe
    wvsvc.exe

    -- Update August 11, 2004 --
    There are now over 4000 variants of this threat, many of which were proactively detected, and this number continues to grow at a rapid rate. 

    AVERT is constantly enhancing generic detection for this family. To ensure you have appropriate protection please do use the latest DATs, latest engine and do not disable scanning of packed executable files.

    -- Update April 6, 2004 --
    There are now over 700 variants of this trojan-turned worm.  Multiple new variants are discovered each week.  They vary in file size and name.

    This detection is for worms that are based on the IRC-Sdbot trojan code. The source code for the IRC-Sdbot trojan was published on the Internet some time ago, and a number of worms are based on the same code. The following detections exist for such worms:

    • W32/Sdbot.worm
    • W32/Sdbot.worm.gen
    • W32/Sdbot.worm.gen.b

    Due to their origins, such worms are often proactively detected as IRC-Sdbot with the 4258+ DAT files. Users are recommended to ensure the scanning of compressed files is enabled to maximise proactive detection.

    These worms typically spread via network shares and create a remote access point for attackers to exploit.

    Some variants can take advantage of the following vulnerabilites:

  • DCOM RPC vulnerability (MS03-026)
  • WEBDAV vulnerability  (MS03-007)
  • LSASS vulnerability (MS04-011)
  • ASN.1 vulnerability (MS04-007)
  • Workstation Service vulnerability (MS03-049)
  • PNP vulnerability (MS05-039)
  • Imail IMAPD LOGIN username vulnerability
  • Cisco IOS HTTP Authorization Vulnerability

    There are some variants which use a combination of the above vulnerabilites during their attack on the system.

    The description below is specific to one such worm, but the characterisitics are typical for many other variants. (Exact filename and Registry key names may change of course.)

    When run, it copies itself to the WINDOWS SYSTEM (%SysDir% ) directory and creates two registry run keys to load the worm at system startup:

    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
      CurrentVersion\Run "Services Host" = scchost.exe
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
      CurrentVersion\RunServices "Services Host" = scchost.exe

    Network Propagation

    The worm's file share propagation relies on target systems being accessible for one of two reasons:
    1. Poor security on target systems
    2. The credentials of the user logged on to an infected system are sufficient to access other systems on the network

    The worm scans random IP subnets for machines present on the network. Once a system is found, the worm tries to connect to the 'C$' and/or 'C' shares on that machine. The following accounts are used for the connection (with no passwords):

    • Administrator
    • Owner
    • Guest

    NOTE: The virus assumes the privileges of the currently authenticated user. If a blank password is insufficient on the target system, the current credentials could be sufficient to gain access on a remote system.

    Some variants also try additional administrative shares such as D$, E$, IPC$, Print$ and Admin$, and contain within them a list of common usernames/passwords to use to gain access to password-protected shares.

    If successful, the worm will copy itself onto that share in one of the following locations (i.e. the Windows Startup folder):

    • C:\WINNT\Profiles\All Users\Start Menu\Programs\Startup
    • C:\WINDOWS\Start Menu\Programs\Startup
    • C:\Documents and Settings\All Users\Start Menu\Programs\Startup
    • \WINNT\Profiles\All Users\Start Menu\Programs\Startup
    • \WINDOWS\Start Menu\Programs\Startup
    • \Documents and Settings\All Users\Start Menu\Programs\Startup
    Finally, the worm attempts to execute the copied file by calling the NetScheduleJobAdd function.

    Remote Access Trojan

    The worm connects to an IRC channel and server and waits for instructions. A remote attacker can use the trojan to perform various tasks:
    • Gather system information (CPU, Driver Space, RAM, OS Version, User name, Computer name, IP Address)
    • Run IRC commands (Join channels, send messages)
    • SYN Flood others
    • Kill processes
    • Download files
    • Execute files

    Symptoms

    Symptoms -

    The worm disables default admin shares (such as C$, D$, and Admin$) on WinNT/2K/XP systems by setting two registry key values:

    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
      lanmanserver\parameters "AutoShareServer" = DWORD:0
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
      lanmanserver\parameters "AutoShareWks" = DWORD:0
    A registry key is set to disable the enumeration of shares during a null sesssion:
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\
      Lsa "restrictanonymous" = DWORD:1
    An indication of infection is outbound IP traffic to the server IRC.DOTBLUE.ORG on TCP port 6667

    Method of Infection

    Method of Infection -

    The exact method of propagation will vary between variants. However, the following characteristics are typical:

    Share Propagation

    The worm propagates via accessible or poorly-secured network shares, and some variants are intended to take advantage of high profile exploits:

    When it attempts to spread through default administrative shares, for example:

    • PRINT$
    • E$
    • D$
    • C$
    • ADMIN$
    • IPC$

    Some variants also carry a list of poor username/password combinations to gain access to these shares.

    Weak Passwords and Configurations

    Several variants are known to probe MS SQL servers for weak administrator passwords and configurations. When successful, the virus could execute remote system commands via the SQL server access.

    Removal -

    Removal -

    All Users:
    Use specified engine and DAT files for detection and removal of virus and trojan files related to this threat.

    Many share jumping viruses rely on weak usernames/passwords. They attempt to gain administrative rights by using a dictionary-style attack, trying usernames like "admin" or "administrator" and passwords like "admin" or "123456". Beyond such weak usernames/passwords many can use the credentials of the local user. Meaning that if a super-administrator, or domain-admin logs on to an infected system or becomes infected, the virus will have access to all systems within its "reach". Such worms often rely on the presence of default, admin shares. It is a good idea to remove the administrative shares (C$, IPC$, ADMIN$) on all systems to prevent such spreading. A simple batch file containing the following commands may be of help, especially when run from a logon script, or placed in the startup folder.
    • net share c$ /delete
    • net share d$ /delete
    • net share e$ /delete
    • net share ipc$ /delete
    • net share admin$ /delete

    Additional Windows ME/XP removal considerations

    Variants

    Variants -

      N/A