W32/Sdbot.worm!51326

Content

W32/Sdbot.worm!51326

Type: Virus
SubType: Internet Worm
Discovery Date: 08/16/2005
Length: 51,326 bytes
Minimum DAT: 4561 (08/17/2005)
Updated DAT: 4561 (08/17/2005)
Minimum Engine: 5.1.00
Description Added: 08/16/2005
Description Modified: 08/17/2005 3:47 AM (PT)

Risk Assessment

Corporate User: Low
Home User: Low

Tab Navigation

Characteristics

This worm exploits the MS05-039 vulnerability. There are at least 2 other W32/Sdbot based worms know to exist that also exploit this vulnerability. They may be seen with the filenames pnpsrv.exe or winpnp.exe.
See http://vil.nai.com/vil/content/v_135434.htm

This self-executing worm spreads by exploiting Windows2000 MS05-039 vulnerable systems in order to instruct those systems to download and execute the worm.

On Demand Scans may detect this threat as New Malware.n with the 4551 DAT files or newer.

This was briefly detected as W32/Zotob.worm.d in our beta DATs, but further analysis has shown it to not be part of this family

VirusScan Enterprise 8.0i and Managed VirusScan's generic buffer overflow protection protects against code execution that may result from exploitation of MS05-039.

Symptoms

The worm creates the file windrg32.exe in %sysdir%\wbev directory and registry run keys are created to load the worm at startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
\CurrentVersion\Run\WinDrg32: "%sysdir%\wbev\windrg32.exe

Checks for following registry key

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\
System\CentralProcessor\0

Deletes the following PUP related regsitry values (if present) from

HKCU\Software\Microsoft\Windows\CurrentVersion\Run HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce HKLM\Software\Microsoft\Windows\CurrentVersion\Run HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

"EbatesMoeMoneyMaker"
"eZmmod"
"Trickler"
"CMESys"
"QuickTime Task"
"TkBellExe"
"ViewMgr"
"TBPS"
"WinTools"
"sais"
"msbb"
"180ax"
"saie"
"lgbibsn"
"tov"
"WeatherOnTray"
"Hotbar"

Additionally it also tries to delete the following older Zotob related registry values from the above mentioned registry keys

"WINDOWS SYSTEM"
"csm Win Updates"
"Windows PNP"
"Windows PNP Server"

It also removes various PUP files and older Win32.Zotob variants. The following directory/files are deleted (if present).

%programdir%\ezula
%programdir%\hotbar
%programdir%\GMT
%programdir%\NavExcel
%programdir%\cxtpls
%programdir%\\toolbar
%programdir%\wintools
%programdir%\180solutions
%programdir%\CMEII
%programdir%\MyWay
%programdir%\MyWebSearch
%sysdir%\botzor.exe
%sysdir%\csm.exe
%sysdir%\winpnp.exe
%sysdir%\pnpserv.exe

This variant is observed to contact following IRC servers

db23.hack-syndicate.org
db23a.hack-syndicate.org
spookystreet.m00p.org
spookystreet.udp-flood.com

---- Update August 17, 2005 ---

It joins the channel #xaeti and listens for commands.

Method of Infection

The worm creates several threads in various processes in order to stay memory resident. It connects to IRC channels in-order to receive commands and to download its updated versions.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

WORM_ZOTOB.D (Trend Micro)