WORM_SDBOT


 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Worm

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Propagates via removable drives, Propagates via peer-to-peer networks, Propagates via network shares, Propagates via software vulnerabilities, Propagates via IRC, Downloaded from the Internet


The SDBOT family of worms have been around since 2004. It is known to spread by exploiting vulnerabilities, by dropping copies of itself in removable drives and network shares, and by being shared through peer-to-peer (P2P) networks.

This family is primarily geared towards downloading other files - a pay-per-install scheme known in the cybercrime economy. It downloads and installs files such as FAKEAV.

SDBOT's backdoor capabilities allows other commands and functions to be performed on the infected computer. These commands may include:

  • Check malware's status

  • Disconnect the bot from IRC

  • Generate a random nickname

  • Issue ping attacks

  • Make a bot join a channel

  • Perform SYN flood or DDOS attacks

  • Send a message to the IRC server

  • Stop and start a thread

  • Terminate the bot

  • Update copy

SDBOT stops running when it detects that is running on a test environment. It does this by checking the user name of the affected computer, or by checking if there are any applications running on the infected system that indicates it is being monitored or tested.

  TECHNICAL DETAILS

Memory Resident:

Yes

Payload:

Compromises system security, Terminates processes, Modifies HOSTS file

Installation

This worm drops the following file(s)/component(s):

  • %User Temp%\removeMe{4 numbers}.bat

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)

It drops the following copies of itself into the affected system:

  • %Application Data%\dnsupdater.exe
  • %User Temp%\windump.exe
  • %Windows%\service.exe
  • %Windows%\test.exe
  • %Windows%\unek.exe
  • %Windows%\unek.exe
  • %Windows%\wintask.exe

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Application Data on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.. %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
test = "test.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Terminal Server\
Install\Software\Microsoft\
Windows\CurrentVersion\Run
test = "test.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
MSN = "%Windows%\unek.exe"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
SunJavaUpdateSched = "%Application Data%\dnsupdater.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Windows Services = "service.exe"

Other System Modifications

This worm adds the following registry entries as part of its installation routine:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
{malware path}\{malware name}.exe = "{malware path}\{malware name}.exe:*:Enabled:test"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
{malware path}\{malware name}.exe = "{malware path}\{malware name}.exe:*:Enabled:1"

Propagation

This worm creates the following folders in all removable drives:

  • RECYCLER
  • RECYCLER\S-1-6-21-2434476501-1644491937-600003330-1213
  • driver
  • driver\usb

It drops copies of itself into the following folders used in peer-to-peer (P2P) networks:

  • %Program Files%\bearshare\shared\
  • %Program Files%\edonkey2000\incoming\
  • %Program Files%\emule\incoming\
  • %Program Files%\grokster\my grokster\
  • %Program Files%\icq\shared folder\
  • %Program Files%\kazaa lite k++\my shared folder\
  • %Program Files%\kazaa lite\my shared folder\
  • %Program Files%\kazaa\my shared folder\
  • %Program Files%\limewire\shared\
  • %Program Files%\morpheus\my shared folder\
  • %Program Files%\tesla\files\
  • %Program Files%\winmx\shared\
  • {folder path}\bearshare\shared\
  • {folder path}\edonkey2000\incoming\
  • {folder path}\emule\incoming\
  • {folder path}\frostwire\saved\
  • {folder path}\frostwire\shared\
  • {folder path}\grokster\my grokster\
  • {folder path}\icq\shared folder\
  • {folder path}\kazaa lite k++\my shared folder\
  • {folder path}\kazaa lite\my shared folder\
  • {folder path}\kazaa\my shared folder\
  • {folder path}\kazaa\my sharedfolder\
  • {folder path}\limewire\saved\
  • {folder path}\limewire\shared\
  • {folder path}\morpheus\my shared folder\
  • {folder path}\my music\bearshare\
  • {folder path}\my music\imesh\
  • {folder path}\shareaza downloads\
  • {folder path}\tesla\files\
  • {folder path}\winmx\shared\

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files.)

It drops copies of itself in the following shared folders:

  • SharedDocs\porno_movie.mpeg.exe
  • ADMIN$\porno_movie.mpeg.exe
  • C$\porno_movie.mpeg.exe
  • D$\porno_movie.mpeg.exe
  • E$\porno_movie.mpeg.exe

Backdoor Routine

This worm connects to any of the following IRC server(s):

  • irc.{BLOCKED}e.com
  • unek.{BLOCKED}p3.com
  • Irc.{BLOCKED}z.Com
  • irc.{BLOCKED}ini.net