McAfee > Theat Center > Virus Detail Page

Overview

-- Update November 28, 2006 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.scmagazine.com/uk/news/article/606932/botnets-exploit-patched-symantec-stack-overflow-flaw/

--

W32/Sdbot.worm!811a7027 is a Themida packed IRC controlled backdoor, which provides an attacker with unauthorized remote access to the compromised computer. An attacker can gain control over the compromised computer and use it to launch a DDos attack on internet systems.

There are multiple versions of the W32/Sdbot family of worms that use IRC (Internet Relay Chat) as a command and control mechanism. Such worms typically use exploits and weak password to spread to vulnerable machines on the network.

Aliases

• Backdoor.Win32.SdBot.azz (Kaspersky)

• Bck/IRCBot.AIW (AVP)

• IRC/BackDoor.SdBot2.MIJ (Grisoft)

• W32.Spybot.ACYR (NAV)

Characteristics

This is a variant of W32/Sdbot.worm which bears strong resemblance to the many other members of this rapidly growing family.

It is detected as W32/Sdbot.worm.gen.ca with the specified engine and DATs.

This worm bears the following characteristics:

• propagates to machines with poorly secured network shares (weak username/password combinations) or accessible share (where local credentials are sufficient to write files to other systems)
• propagates to remote machines by attempting to copy itself to a number of shares
• provides a backdoor to the victim machine, thereby compromising data on that machine (significant remote access functionality is available to the hacker)

It uses the following exploits to propagate across vulnerable networks:

• DCOM RPC Vulnerability MS03-026 (Microsoft)
• ASN.1 vulnerability MS04-007 (Microsoft)
• Windows Plug and Play vulnerability MS05-039 (Microsoft)
• Windows Server Service vulnerability MS06-040 (Microsoft)
• FTPD realpath vulnerability CVE-1999-0368 (Multiple Vendors)
• Symantec Antivirus and Client Security vulnerability CVE-2006-2630

Symptoms

Upon execution, this worm creates a copy of itself into the Windows directory:

• %WinDir%\w32svc.exe

It modifies the following registry entries to disable Windows File Protection:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "SFCDisable"

It creates a service with the following properties:

• DisplayName - Windows Network Firewall
• ImagePath - %WinDir%\w32svc.exe

It does not create an auto-start registry key.

This worm contains a list of other services that it will attempt to terminate, including both malware and security-related applications:

• i11r54n4.exe
• Bagle.X
• rate.exe
• winsys.exe
• Bagle.k
• irun4.exe
• Bagle.j
• bbeagle.exe
• Bagle.a
• d3dupdate.exe
• teekids.exe
• W32.Blaster.C
• Microsoft Inet Xp..
• Penis32.exe
• W32.Blaster.B
• MSBLAST.exe
• W32.Blaster
• Bagle.v
• PandaAVEngine.exe
• Netsky.r
• PandaAVEngine
• taskmon.exe
• Mydoom.h
• TaskMon
• mscvb32.exe
• ssate.exe
• Sobig.c
• System MScvb
• sysinfo.exe

Method of Infection

W32/Sdbot.worm!811a7027 scans for vulnerable machines on the network, and uses various vulnerabilities to spread.

For more information on spreading and behavior of W32/Sdbot.worm variants, please see the following description:

http://vil.nai.com/vil/content/v_100454.htm

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

-- Update November 28, 2006 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.scmagazine.com/uk/news/article/606932/botnets-exploit-patched-symantec-stack-overflow-flaw/

--

W32/Sdbot.worm!811a7027 is a Themida packed IRC controlled backdoor, which provides an attacker with unauthorized remote access to the compromised computer. An attacker can gain control over the compromised computer and use it to launch a DDos attack on internet systems.

There are multiple versions of the W32/Sdbot family of worms that use IRC (Internet Relay Chat) as a command and control mechanism. Such worms typically use exploits and weak password to spread to vulnerable machines on the network.

Aliases

• Backdoor.Win32.SdBot.azz (Kaspersky)

• Bck/IRCBot.AIW (AVP)

• IRC/BackDoor.SdBot2.MIJ (Grisoft)

• W32.Spybot.ACYR (NAV)

Characteristics

Characteristics -

This is a variant of W32/Sdbot.worm which bears strong resemblance to the many other members of this rapidly growing family.

It is detected as W32/Sdbot.worm.gen.ca with the specified engine and DATs.

This worm bears the following characteristics:

• propagates to machines with poorly secured network shares (weak username/password combinations) or accessible share (where local credentials are sufficient to write files to other systems)
• propagates to remote machines by attempting to copy itself to a number of shares
• provides a backdoor to the victim machine, thereby compromising data on that machine (significant remote access functionality is available to the hacker)

It uses the following exploits to propagate across vulnerable networks:

• DCOM RPC Vulnerability MS03-026 (Microsoft)
• ASN.1 vulnerability MS04-007 (Microsoft)
• Windows Plug and Play vulnerability MS05-039 (Microsoft)
• Windows Server Service vulnerability MS06-040 (Microsoft)
• FTPD realpath vulnerability CVE-1999-0368 (Multiple Vendors)
• Symantec Antivirus and Client Security vulnerability CVE-2006-2630

Symptoms

Symptoms -

Upon execution, this worm creates a copy of itself into the Windows directory:

• %WinDir%\w32svc.exe

It modifies the following registry entries to disable Windows File Protection:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "SFCDisable"

It creates a service with the following properties:

• DisplayName - Windows Network Firewall
• ImagePath - %WinDir%\w32svc.exe

It does not create an auto-start registry key.

This worm contains a list of other services that it will attempt to terminate, including both malware and security-related applications:

• i11r54n4.exe
• Bagle.X
• rate.exe
• winsys.exe
• Bagle.k
• irun4.exe
• Bagle.j
• bbeagle.exe
• Bagle.a
• d3dupdate.exe
• teekids.exe
• W32.Blaster.C
• Microsoft Inet Xp..
• Penis32.exe
• W32.Blaster.B
• MSBLAST.exe
• W32.Blaster
• Bagle.v
• PandaAVEngine.exe
• Netsky.r
• PandaAVEngine
• taskmon.exe
• Mydoom.h
• TaskMon
• mscvb32.exe
• ssate.exe
• Sobig.c
• System MScvb
• sysinfo.exe

Method of Infection

Method of Infection -

W32/Sdbot.worm!811a7027 scans for vulnerable machines on the network, and uses various vulnerabilities to spread.

For more information on spreading and behavior of W32/Sdbot.worm variants, please see the following description:

http://vil.nai.com/vil/content/v_100454.htm

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A