W32/Sdbot.worm.gen.ax!EBBC416B

Content

W32/Sdbot.worm.gen.ax!EBBC416B

Type: Virus
SubType: Worm
Discovery Date: 03/12/2007
Length: Varies
Minimum DAT: 4982 (03/12/2007)
Updated DAT: 5861 (01/14/2010)
Minimum Engine: 4.4.00
Description Added: 03/12/2007
Description Modified: 01/14/2010 11:08 AM (PT)

Risk Assessment

Corporate User: Low
Home User: Low

Tab Navigation

Characteristics

This worm bears the following characteristics:

Propagates to machines with poorly secured network shares (weak username/password combinations) or accessible share (where local credentials are sufficient to write files to other systems)

Propagates to remote machines by attempting to copy itself to a number of shares

Provides a backdoor to the victim machine, thereby compromising data on that machine (significant remote access functionality is available to the hacker)

It uses the following exploit to propagate across vulnerable networks "Exploit.FTPD"

Exploit.FTPD attempts to exploit remote machines using a multitude of embedded exploits in order to propagate across a network. Upon a successful attack, it will report this back to its author on a predefined IRC server/channel.

Upon execution the worm copies itself to the following system location:

%WinDir%\wmssvc.exe

On execution, the worm deletes itself from its current location and copies itself in %Windir% as wmssvc.exe. It then registers itself as a service by creating the following registry key(s):

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NET Service\

and has the following service characteristics:

ImagePath: ""%WirDir%\wmssvc.exe""
DisplayName: "NET Service"
Description: "Enables NET messages issued by Windows based programs and components. This service cannot be stopped."

The following registry entries have been added:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Windows File Protection
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile

The following registry entries have been modified:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Windows File Protection\SFCDisable

The above mentioned registry entry confirms that the malware binary modifies the registry entry to disable Windows File Protection.

Disables the following services:

Telnet
Security Center
Remote Registry
Messenger

This worm also lowers windows security settings by performing the following registry modifications:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify: 0x00000001
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride: 0x00000001
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride: 0x00000001
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify: 0x00000001
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify: 0x00000001

The above mentioned registry entries confirms that the malware disables the compromised user system Firewall, Anti Virus software installed, Automatic Windows updates.

The malware binary also prevents windows updates from installing Windows XP Service Pack 2 by using:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotAllowXPSP2: 0x00000001

Disables automatic creation of hidden shares on reboot using the following registry entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters\AutoShareWks: 0x00000000

Disables automatic updates using the following registry entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\AUOptions: 0x00000001

Actions that the worm may perform on receiving appropriate commands from the remote attacker include:

Enumerate active process and threads on infected computer :

Start, stop and hide processes and threads
Open a local web server
Port scan IP addresses in a specified subnet to identify possible targets for infection
Open backdoor at a specified port
Transfer files
Spread via MIRC
Update itself
Restart infected machine
Sniff network traffic
Create, delete and try to spread via network shares
Spread via AOL Instant Messenger

The malware binary also monitors user browser activity and steals login credentials and pin information if following strings are present in the browsed domain name, some of them are as follows:

sandbox.norman.com
norman.com
castlecops.com
castlecop
rootkit.com
WindowsLiveTranslator.com
download.com
walmart.com
amazon.com
redhat.com
debian.org
ubuntu.org
majorgeeks.com
gmail.com
hotmail.com
msdn.com
msn.com
mamboserver.com
php.org
php.net
mysql.com
softpedia.com
symantec.com
kaspersky
f-secure
norman
mcafee
afraid.org
paypal.com
ebay.com
110mb.com
livejournal.com
youtube.com
blogspot.com
nabble.com
myspace.com
dyndns.org
dyndns.com
unixtool.com
linuxrocket.net
secwatch.org
secunia.com
securityfocus.com
xfocus.com
sourceforge.net
orkut
wordpress.com
blog.com
blogger.com
overture.com
about.com
answers.com
altavista.com
msnscache.com
webcrawler.com
g.live.com
live.com

This worm contains a list of other services that it will attempt to terminate, including both malware and security-related applications:

TROJANTRAP3.EXE
OLLYDBG.EXE
LORDPE.EXE
AVP32.EXE
AUTOUPDATE.EXE
NORTON32.EXE
PANDA32.EXE
PROCEXP.EXE
REGMON.EXE
TCPMON.EXE
TCPVIEW.EXE
VMWARE-AUTHD.EXE
VMWARE.EXE
CTFMOM.EXE
WINCMD.EXE
NETLOGON.EXE
BLING.EXE
CRSSR.EXE
i11r54n4.exe
PandaAVEngine.exe
TaskMon
sysinfo.exe
Penis32.exe
Microsoft Inet Xp
winsys.exe

The malware binary try to steal the game passwords and send those information to the remote attacker, some of them are as follows:

Call of Duty 2
Quake 4
Neverwinter Nights (Hordes of the Underdark)
Neverwinter Nights (Shadows of Undrentide)
Shogun Total War
Battlefield Vietnam
Battlefield 1942
Battlefield 2142
Counter-Strike 1.6
Half-Life

Symptoms

Presence of above mentioned registry entries and files
Presence of above mentioned behavior.

Method of Infection

Trojans do not self-replicate. They spread manually, often under the premise that the executable is something beneficial. They may also be received as a result of poor security practices, or un-patched machines and vulnerable systems.

Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

N/A

All Information

Overview -

This malware binary is a IRC controlled backdoor, which provides an attacker with unauthorized remote access to the compromised computer. An attacker can gain control over the compromised computer and use it to launch a DDos attack on internet systems.

There are multiple versions of the W32/Sdbot family of worms that use IRC (Internet Relay Chat) as a command and control mechanism. Such worms typically use exploits and weak password to spread to vulnerable machines on the network.

File Information:

File Size - 188416 bytes
MD5 - EBBC416B11C568791EDB7DC1489D9479
SHA1 - 6EB79BC18001A29619E98FF2D66662AF5C7FD244

Aliases:

BitDefender - Trojan.Generic.2267731
Comodo - NetWorm.Win32.Kolabc.ae0
Kaspersky - Net-Worm.Win32.Kolabc.ae
Microsoft - Backdoor:Win32/Rbot.gen!G