Content

W32/Sdbot.worm!3D1ACE0E

Type
Virus
SubType
Internet Worm
Discovery Date
03/30/2008
Length
Varies
Minimum DAT
5263 (03/31/2008)
Updated DAT
5263 (03/31/2008)
Minimum Engine
5.1.00
Description Added
03/30/2008
Description Modified
03/30/2008 10:24 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

W32/Sdbot.worm!3D1ACE0E will connect to IRC server and scan the local LAN at port 445 to exploit other vulnerable machines.

The following possible URLs are accessed:

  • dave.own.ccpoweronline.us:2345 (84.244.11.26)
  • rusk.nswebhost.com:80
  • tap.tronko.net
  • serv-5-19-254.lycos-vds.com:2345 (84.244.19.254)
  • serv-5-19-183.lycos-vds.com:2345 (84.244.19.183)
  • tap.radioprishtina.net
  • x.blackcrew.us

The local LAN is scanned at 192.168.*.*:445.

The following sample filenames have been seen:

  • mmdmm.exe
  • mumie.exe

The following registry keys are modified:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Oftice: "%SYSTEM%\msmsgs.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Networking Monitoring: "%SYSTEM%\mdm.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\EnableDCOM
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous

The following files are dropped:

  • %SYSTEM%\msmsgs.exe
  • %SYSTEM%\mdm.exe

The following files are downloaded from:

  • http://66.29.25.194/[removed]/images/arr.jpg

and written to:

  • %WINDRIVE%\WINDOWS\rundll32.exe
  • %WINDRIVE%\lo.exe

The downloaded file is detected as Generic Startpage.w

(where %SYSTEM% is the Windows system directory e.g. C:\Windows\system32, %WINDRIVE% is the Windows installation drive e.g. C:)

Symptoms

  • Presence of previously mentioned files.
  • Presence of unexpected network connections to previously mentioned URLs.
  • Presence of previously mentioned registry keys.

Method of Infection

It may be downloaded and installed by malware from part of a botnet.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

W32/Sdbot.worm!3D1ACE0E will connect to IRC server and scan the local LAN at port 445 to exploit other vulnerable machines.

 

Characteristics

Characteristics -

W32/Sdbot.worm!3D1ACE0E will connect to IRC server and scan the local LAN at port 445 to exploit other vulnerable machines.

The following possible URLs are accessed:

  • dave.own.ccpoweronline.us:2345 (84.244.11.26)
  • rusk.nswebhost.com:80
  • tap.tronko.net
  • serv-5-19-254.lycos-vds.com:2345 (84.244.19.254)
  • serv-5-19-183.lycos-vds.com:2345 (84.244.19.183)
  • tap.radioprishtina.net
  • x.blackcrew.us

The local LAN is scanned at 192.168.*.*:445.

The following sample filenames have been seen:

  • mmdmm.exe
  • mumie.exe

The following registry keys are modified:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Oftice: "%SYSTEM%\msmsgs.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Networking Monitoring: "%SYSTEM%\mdm.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\EnableDCOM
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous

The following files are dropped:

  • %SYSTEM%\msmsgs.exe
  • %SYSTEM%\mdm.exe

The following files are downloaded from:

  • http://66.29.25.194/[removed]/images/arr.jpg

and written to:

  • %WINDRIVE%\WINDOWS\rundll32.exe
  • %WINDRIVE%\lo.exe

The downloaded file is detected as Generic Startpage.w

(where %SYSTEM% is the Windows system directory e.g. C:\Windows\system32, %WINDRIVE% is the Windows installation drive e.g. C:)

Symptoms

Symptoms -

  • Presence of previously mentioned files.
  • Presence of unexpected network connections to previously mentioned URLs.
  • Presence of previously mentioned registry keys.

Method of Infection

Method of Infection -

It may be downloaded and installed by malware from part of a botnet.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A