Content

W32/Sdbot.worm!MS06-040

Type
Virus
SubType
Internet Worm
Discovery Date
08/19/2006
Length
Varies
Minimum DAT
4833 (08/21/2006)
Updated DAT
5263 (03/31/2008)
Minimum Engine
5.1.00
Description Added
08/20/2006
Description Modified
08/30/2006 4:51 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

Upon execution the virus displays the following fake error message while running in background.

System Changes

Files Added

    • %SYSTEMDIR%\javanet.exe ( 180736 bytes )

Files Replaced

    • %SYSTEMDIR%\drivers\tcpip.sys
    • %SYSTEMDIR%\dllcache\tcpip.sys

(This threat detects XP SP2 or newer versions of tcpip.sys and modifies it to allow up to 200 simultaneous connections for its aggressive port scanning)

Registry

The following registry keys are created:

    • hkey_local_machine\software\microsoft\windows\currentversion
      \runservices\ms java for windows xp & nt="javanet.exe"
    • hkey_current_user\software\microsoft\windows\currentversion
      \runservices\ms java for windows xp & nt="javanet.exe"
    • hkey_local_machine\system\currentcontrolset\control\lsa
      \restrictanonymous="1"
    • hkey_local_machine\system\currentcontrolset\control\lsa
      \lmcompatibilitylevel="1"
    • hkey_local_machine\system\controlset001\services\sharedaccess\start = "0x00000004" (disable Windows Firewall)hkey_local_machine\system\currentcontrolset\services\sharedaccess\start = "0x00000004" (disable Windows Firewall)
    • hkey_local_machine\system\controlset001\services\wuauserv\start = 0x00000004 (disable Windows Update)
    • hkey_local_machine\system\currentcontrolset\services\wuauserv\start = 0x00000004 (disable Windows Update)
    • hkey_current_user\software\microsoft\windows\javanet="rBot v2
      a.k.a. the next generation (working on winXP SP2)"
    • hkey_local_machine\software\microsoft\ole\enabledcom="78"
    • hkey_local_machine\software\microsoft\windows nt\currentversion
      \winlogon\userinit="%SYSTEMDIR%\userinit.exe,javanet.exe"
    • hkey_local_machine\software\microsoft\windows nt\currentversion
      \winlogon\shell="Explorer.exe javanet.exe"

The virus opens a backdoor at TCP port 4915 and tries to connect to IRC server waiting for commands at

    • forum.ednet.es.

Following channel names are used.

    • ##.api.##
    • ##.api-keyl0g.##
    • ##.api-cashlog.##
    • ##.api-exp.##

The commands that the virus can receive include.

    • DDoS
    • Scan (for vulnerable systems)
    • Download / execute remote files
    • Start, stop the spread through IM.
    • Kill processes and threads
    • Open a command shell
    • Start a SOCKS4 proxy server
    • Log keystrokes

Steals login credentials and pin information if following strings are present in the browsed domain name.

    • bank
    • Bank
    • eBay
    • e-gold
    • iKobo
    • PayPal
    • StormPay
    • WorldPay
    • Western Union

Kills services and applications having following strings

    • avast
    • norton
    • mcafee
    • f-pro
    • lockdown
    • firewall
    • blackice
    • avg
    • vsmon
    • zonea
    • spybot
    • nod32
    • reged
    • rav
    • nav
    • avp
    • troja
    • viru
    • anti

Symptoms

The virus opens a backdoor at TCP port 4915 and tries to connect to IRC server at

  • forum.ednet.es.

Method of Infection

It can replicate by exploiting one or more of these vulnerabilities.

The Microsoft Windows Plug and Play Buffer Overflow Vulnerability (MS05-039) http://vil.nai.com/vil/content/v_135368.htm

The Microsoft Windows Server Service Remote Buffer Overflow Vulnerability (MS06-040) http://vil.nai.com/vil/Content/v_vul26682.htm

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

This threat modifies a number of system files and configurations that can include disabling the default Windows Firewall on the infected machine. These changes should be manually configured to your preferred settings.

 

Variants

Variants

    N/A

All Information

Overview -

This is detection for a variant of W32/Sdbot.worm that exploits the recent Microsoft Windows Server Service Buffer Overflow MS06-040 against Windows 2000 machines.

This worm installs itself in the WINDOWS SYSTEM directory (typically c:\windows\system32) as javanet.exe (MD5: 9CDE50FA255D9F733FE896E592616884) 


It has this string in virus body suggesting more variants in the future.

"rBot v2 a.k.a. the next generation (working on winXP SP2)"


It creates following identifying registry keys.

  • hkey_local_machine\software\microsoft\windows\currentversion\runservices\ms java for windows xp & nt="javanet.exe"
  • hkey_current_user\software\microsoft\windows\currentversion\runservices\ms java for windows xp & nt="javanet.exe"
  • hkey_current_user\software\microsoft\windows\javanet="rBot v2 a.k.a. the next generation (working on winXP SP2)"

Aliases

  • W32/Vanebot-G (Sophos)

Characteristics

Characteristics -

Upon execution the virus displays the following fake error message while running in background.

System Changes

Files Added

    • %SYSTEMDIR%\javanet.exe ( 180736 bytes )

Files Replaced

    • %SYSTEMDIR%\drivers\tcpip.sys
    • %SYSTEMDIR%\dllcache\tcpip.sys

(This threat detects XP SP2 or newer versions of tcpip.sys and modifies it to allow up to 200 simultaneous connections for its aggressive port scanning)

Registry

The following registry keys are created:

    • hkey_local_machine\software\microsoft\windows\currentversion
      \runservices\ms java for windows xp & nt="javanet.exe"
    • hkey_current_user\software\microsoft\windows\currentversion
      \runservices\ms java for windows xp & nt="javanet.exe"
    • hkey_local_machine\system\currentcontrolset\control\lsa
      \restrictanonymous="1"
    • hkey_local_machine\system\currentcontrolset\control\lsa
      \lmcompatibilitylevel="1"
    • hkey_local_machine\system\controlset001\services\sharedaccess\start = "0x00000004" (disable Windows Firewall)hkey_local_machine\system\currentcontrolset\services\sharedaccess\start = "0x00000004" (disable Windows Firewall)
    • hkey_local_machine\system\controlset001\services\wuauserv\start = 0x00000004 (disable Windows Update)
    • hkey_local_machine\system\currentcontrolset\services\wuauserv\start = 0x00000004 (disable Windows Update)
    • hkey_current_user\software\microsoft\windows\javanet="rBot v2
      a.k.a. the next generation (working on winXP SP2)"
    • hkey_local_machine\software\microsoft\ole\enabledcom="78"
    • hkey_local_machine\software\microsoft\windows nt\currentversion
      \winlogon\userinit="%SYSTEMDIR%\userinit.exe,javanet.exe"
    • hkey_local_machine\software\microsoft\windows nt\currentversion
      \winlogon\shell="Explorer.exe javanet.exe"

The virus opens a backdoor at TCP port 4915 and tries to connect to IRC server waiting for commands at

    • forum.ednet.es.

Following channel names are used.

    • ##.api.##
    • ##.api-keyl0g.##
    • ##.api-cashlog.##
    • ##.api-exp.##

The commands that the virus can receive include.

    • DDoS
    • Scan (for vulnerable systems)
    • Download / execute remote files
    • Start, stop the spread through IM.
    • Kill processes and threads
    • Open a command shell
    • Start a SOCKS4 proxy server
    • Log keystrokes

Steals login credentials and pin information if following strings are present in the browsed domain name.

    • bank
    • Bank
    • eBay
    • e-gold
    • iKobo
    • PayPal
    • StormPay
    • WorldPay
    • Western Union

Kills services and applications having following strings

    • avast
    • norton
    • mcafee
    • f-pro
    • lockdown
    • firewall
    • blackice
    • avg
    • vsmon
    • zonea
    • spybot
    • nod32
    • reged
    • rav
    • nav
    • avp
    • troja
    • viru
    • anti

Symptoms

Symptoms -

The virus opens a backdoor at TCP port 4915 and tries to connect to IRC server at

  • forum.ednet.es.

Method of Infection

Method of Infection -

It can replicate by exploiting one or more of these vulnerabilities.

The Microsoft Windows Plug and Play Buffer Overflow Vulnerability (MS05-039) http://vil.nai.com/vil/content/v_135368.htm

The Microsoft Windows Server Service Remote Buffer Overflow Vulnerability (MS06-040) http://vil.nai.com/vil/Content/v_vul26682.htm

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

This threat modifies a number of system files and configurations that can include disabling the default Windows Firewall on the infected machine. These changes should be manually configured to your preferred settings.

 

Variants

Variants -

    N/A