McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Backdoor.Win32.SdBot.gen (AVP)

• W32.Randex (Symantec)

Characteristics

These SDBot names vary considerably, but regularly try to look similar to other legitimate Windows executable names, so that a user viewing the Task Manager might assume that the names listed are valid.

Some example filenames (but not all) used by this variant:

Rpcclient.exe

SDKrepair2.exe

-- Update July 08, 2005 --
There are now more than 12,000 variants of this threat, many of which were proactively detected, and this number continues to grow at a rapid rate. 

AVERT is constantly enhancing generic detection for this family. To ensure you have appropriate protection please do use the latest DATs, latest engine and do not disable scanning of packed executable files.

These worms typically spread via network shares and create a remote access point for attackers to exploit.

Some variants can take advantage of the following vulnerabilites:

DCOM RPC vulnerability - http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx

WEBDAV vulnerability - http://www.microsoft.com/technet/security/bulletin/MS03-007.mspx

LSASS vulnerability - http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

There are some variants which use a combination of the above vulnerabilites during their attack on the system.

When run, it copies itself to the WINDOWS SYSTEM (%SysDir% ) directory and creates registry run keys to load the worm at system startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Mascro soft SDK updates2" = SDKrepair2.exe 4

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Mascro soft SDK updates2"   = SDKrepair2.exe 4

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices "Mascro soft SDK updates2" = SDKrepair2.exe 4

The registry keys values can be vary according to the threat related file.

Symptoms

Added registry keys and copy itself to WINDOWS SYSTEM directory.

Method of Infection

Share Propagation

The worm propagates via accessible or poorly-secured network shares, and some variants are intended to take advantage of high profile exploits:

DCOM RPC vulnerability -http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx

WEBDAV vulnerability - http://www.microsoft.com/technet/security/bulletin/MS03-007.mspx

LSASS vulnerability - http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

Removal

All Users:
Use specified engine and DAT files for detection and removal of virus and trojan files related to this threat.

Many share jumping viruses rely on weak usernames/passwords. They attempt to gain administrative rights by using a dictionary-style attack, trying usernames like "admin" or "administrator" and passwords like "admin" or "123456". Beyond such weak usernames/passwords many can use the credentials of the local user. Meaning that if a super-administrator, or domain-admin logs on to an infected system or becomes infected, the virus will have access to all systems within its "reach". Such worms often rely on the presence of default, admin shares. It is a good idea to remove the administrative shares (C$, IPC$, ADMIN$) on all systems to prevent such spreading. A simple batch file containing the following commands may be of help, especially when run from a logon script, or placed in the startup folder.

• net share c$ /delete
• net share d$ /delete
• net share e$ /delete
• net share ipc$ /delete
• net share admin$ /delete

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Backdoor.Win32.SdBot.gen (AVP)

• W32.Randex (Symantec)

Characteristics

Characteristics -

These SDBot names vary considerably, but regularly try to look similar to other legitimate Windows executable names, so that a user viewing the Task Manager might assume that the names listed are valid.

Some example filenames (but not all) used by this variant:

Rpcclient.exe

SDKrepair2.exe

-- Update July 08, 2005 --
There are now more than 12,000 variants of this threat, many of which were proactively detected, and this number continues to grow at a rapid rate. 

AVERT is constantly enhancing generic detection for this family. To ensure you have appropriate protection please do use the latest DATs, latest engine and do not disable scanning of packed executable files.

These worms typically spread via network shares and create a remote access point for attackers to exploit.

Some variants can take advantage of the following vulnerabilites:

DCOM RPC vulnerability - http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx

WEBDAV vulnerability - http://www.microsoft.com/technet/security/bulletin/MS03-007.mspx

LSASS vulnerability - http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

There are some variants which use a combination of the above vulnerabilites during their attack on the system.

When run, it copies itself to the WINDOWS SYSTEM (%SysDir% ) directory and creates registry run keys to load the worm at system startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Mascro soft SDK updates2" = SDKrepair2.exe 4

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Mascro soft SDK updates2"   = SDKrepair2.exe 4

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices "Mascro soft SDK updates2" = SDKrepair2.exe 4

The registry keys values can be vary according to the threat related file.

Symptoms

Symptoms -

Added registry keys and copy itself to WINDOWS SYSTEM directory.

Method of Infection

Method of Infection -

Share Propagation

The worm propagates via accessible or poorly-secured network shares, and some variants are intended to take advantage of high profile exploits:

DCOM RPC vulnerability -http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx

WEBDAV vulnerability - http://www.microsoft.com/technet/security/bulletin/MS03-007.mspx

LSASS vulnerability - http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal of virus and trojan files related to this threat.

Many share jumping viruses rely on weak usernames/passwords. They attempt to gain administrative rights by using a dictionary-style attack, trying usernames like "admin" or "administrator" and passwords like "admin" or "123456". Beyond such weak usernames/passwords many can use the credentials of the local user. Meaning that if a super-administrator, or domain-admin logs on to an infected system or becomes infected, the virus will have access to all systems within its "reach". Such worms often rely on the presence of default, admin shares. It is a good idea to remove the administrative shares (C$, IPC$, ADMIN$) on all systems to prevent such spreading. A simple batch file containing the following commands may be of help, especially when run from a logon script, or placed in the startup folder.

• net share c$ /delete
• net share d$ /delete
• net share e$ /delete
• net share ipc$ /delete
• net share admin$ /delete

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A