Content

W32/Sdbot.worm.gen.ca

Type
Virus
SubType
Generic Worm
Discovery Date
04/27/2006
Length
varies
Minimum DAT
4750 (04/27/2006)
Updated DAT
5486 (01/05/2009)
Minimum Engine
5.1.00
Description Added
04/27/2006
Description Modified
09/06/2006 8:12 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

W32/Sdbot.worm.gen.ca is a worm that also drops a rootkit component to hide its files and processes. This rootkit component is detected as NTRootKit-J.

The W32/Sdbot.worm.gen.ca exhibits the following behavior:

  • It is Vmware aware so it does not run in Vmware environments
  • Avoids running when monitoring tools are active such as process monitoring tools
  • Drops a rootkit that hides the actual virus
  • Makes outbound connections to remote IP addresses
  • The worm file is Themida protected
  • Creates a service entry to start automatically

W32/Sdbot.worm.gen.ca connects to a IRC server and accepts remote commands. Upon connection, the bot immediately executes a default action set by the IRC channel operator. Windows users should ensure that they have installed the latest security patches from the vendor.

On execution the worm deletes itself from its current location and copies itself in %Windir% as lsass.exe. It then registers itself as a service by creating the following registry key(s):

  • hkey_local_machine\system\currentcontrolset\services\lsass

and has the following service characteristics:

  • Display name: "Local Security Authority Subsystem Service"
  • Description:"Microsoft Path Finder Service Displays Internet Routing Paths."

It also drops a rdriv.sys file in %WinDir% which is detected as NTRootKit-J. rdriv.sys is also registered as a service by creating the following registry entry:

  • hkey_local_machine\system\currentcontrolset\services\rdriv

Symptoms

  • Existence of registry keys as described.
  • Existence of one or more of the following file(s):
    • %WinDir%\lsass.exe
    • %SystemDir%\rdriv.sys
  •  IRC related data connections.

     

    • Method of Infection

    This worm can spread via AOL Instant Messenger, MIRC chat client, improperly configured/protected network shares and by exploiting buffer overflow vulnerabilities in the Windows operating system such as MS06-040.

    Removal

    All Users:
    Use current engine and DAT files for detection. Delete any file which contains this detection.

    Additional Windows ME/XP removal considerations

    Variants

    Variants

      N/A

    All Information

    Overview -

    W32/Sdbot.worm.gen.ca is a worm that also drops a rootkit component to hide its files and processes. This rootkit component is detected as NTRootKit-J.

    Characteristics

    Characteristics -

    W32/Sdbot.worm.gen.ca is a worm that also drops a rootkit component to hide its files and processes. This rootkit component is detected as NTRootKit-J.

    The W32/Sdbot.worm.gen.ca exhibits the following behavior:

    • It is Vmware aware so it does not run in Vmware environments
    • Avoids running when monitoring tools are active such as process monitoring tools
    • Drops a rootkit that hides the actual virus
    • Makes outbound connections to remote IP addresses
    • The worm file is Themida protected
    • Creates a service entry to start automatically

    W32/Sdbot.worm.gen.ca connects to a IRC server and accepts remote commands. Upon connection, the bot immediately executes a default action set by the IRC channel operator. Windows users should ensure that they have installed the latest security patches from the vendor.

    On execution the worm deletes itself from its current location and copies itself in %Windir% as lsass.exe. It then registers itself as a service by creating the following registry key(s):

    • hkey_local_machine\system\currentcontrolset\services\lsass

    and has the following service characteristics:

    • Display name: "Local Security Authority Subsystem Service"
    • Description:"Microsoft Path Finder Service Displays Internet Routing Paths."

    It also drops a rdriv.sys file in %WinDir% which is detected as NTRootKit-J. rdriv.sys is also registered as a service by creating the following registry entry:

    • hkey_local_machine\system\currentcontrolset\services\rdriv

    Symptoms

    Symptoms -

  • Existence of registry keys as described.
  • Existence of one or more of the following file(s):
    • %WinDir%\lsass.exe
    • %SystemDir%\rdriv.sys
  •  IRC related data connections.

     

    • Method of Infection

    Method of Infection -

    This worm can spread via AOL Instant Messenger, MIRC chat client, improperly configured/protected network shares and by exploiting buffer overflow vulnerabilities in the Windows operating system such as MS06-040.

    Removal -

    Removal -

    All Users:
    Use current engine and DAT files for detection. Delete any file which contains this detection.

    Additional Windows ME/XP removal considerations

    Variants

    Variants -

      N/A