SDBOT
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Worm
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
The SDBOT family of worms have been around since 2004. It is known to spread by exploiting vulnerabilities, by dropping copies of itself in removable drives and network shares, and by being shared through peer-to-peer (P2P) networks.
This family is primarily geared towards downloading other files - a pay-per-install scheme known in the cybercrime economy. It downloads and installs files such as FAKEAV.
SDBOT's backdoor capabilities allows other commands and functions to be performed on the infected computer. These commands may include:
- Check malware's status
- Disconnect the bot from IRC
- Generate a random nickname
- Issue ping attacks
- Make a bot join a channel
- Perform SYN flood or DDOS attacks
- Send a message to the IRC server
- Stop and start a thread
- Terminate the bot
- Update copy
SDBOT stops running when it detects that is running on a test environment. It does this by checking the user name of the affected computer, or by checking if there are any applications running on the infected system that indicates it is being monitored or tested.
TECHNICAL DETAILS
Installation
This worm drops the following file(s)/component(s):
- %User Temp%\removeMe{4 numbers}.bat
(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)
It drops the following copies of itself into the affected system:
- %Application Data%\dnsupdater.exe
- %User Temp%\windump.exe
- %Windows%\service.exe
- %Windows%\test.exe
- %Windows%\unek.exe
- %Windows%\unek.exe
- %Windows%\wintask.exe
(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Application Data on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.. %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)
Autostart Technique
This worm adds the following registry entries to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
test = "test.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Terminal Server\
Install\Software\Microsoft\
Windows\CurrentVersion\Run
test = "test.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
MSN = "%Windows%\unek.exe"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
SunJavaUpdateSched = "%Application Data%\dnsupdater.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Windows Services = "service.exe"
Other System Modifications
This worm adds the following registry entries as part of its installation routine:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
{malware path}\{malware name}.exe = "{malware path}\{malware name}.exe:*:Enabled:test"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
{malware path}\{malware name}.exe = "{malware path}\{malware name}.exe:*:Enabled:1"
Propagation
This worm creates the following folders in all removable drives:
- RECYCLER
- RECYCLER\S-1-6-21-2434476501-1644491937-600003330-1213
- driver
- driver\usb
It drops copies of itself into the following folders used in peer-to-peer (P2P) networks:
- %Program Files%\bearshare\shared\
- %Program Files%\edonkey2000\incoming\
- %Program Files%\emule\incoming\
- %Program Files%\grokster\my grokster\
- %Program Files%\icq\shared folder\
- %Program Files%\kazaa lite k++\my shared folder\
- %Program Files%\kazaa lite\my shared folder\
- %Program Files%\kazaa\my shared folder\
- %Program Files%\limewire\shared\
- %Program Files%\morpheus\my shared folder\
- %Program Files%\tesla\files\
- %Program Files%\winmx\shared\
- {folder path}\bearshare\shared\
- {folder path}\edonkey2000\incoming\
- {folder path}\emule\incoming\
- {folder path}\frostwire\saved\
- {folder path}\frostwire\shared\
- {folder path}\grokster\my grokster\
- {folder path}\icq\shared folder\
- {folder path}\kazaa lite k++\my shared folder\
- {folder path}\kazaa lite\my shared folder\
- {folder path}\kazaa\my shared folder\
- {folder path}\kazaa\my sharedfolder\
- {folder path}\limewire\saved\
- {folder path}\limewire\shared\
- {folder path}\morpheus\my shared folder\
- {folder path}\my music\bearshare\
- {folder path}\my music\imesh\
- {folder path}\shareaza downloads\
- {folder path}\tesla\files\
- {folder path}\winmx\shared\
(Note: %Program Files% is the default Program Files folder, usually C:\Program Files.)
It drops copies of itself in the following shared folders:
- SharedDocs\porno_movie.mpeg.exe
- ADMIN$\porno_movie.mpeg.exe
- C$\porno_movie.mpeg.exe
- D$\porno_movie.mpeg.exe
- E$\porno_movie.mpeg.exe
Backdoor Routine
This worm connects to any of the following IRC server(s):
- irc.{BLOCKED}e.com
- unek.{BLOCKED}p3.com
- Irc.{BLOCKED}z.Com
- irc.{BLOCKED}ini.net
NOTES:
This worm drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.
The folder path mentioned above is obtained by checking the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
%Program Files% = "{folder path}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Personal = "{folder path}"
It uses the following file names for the copies it drops in the folders mentioned above:
- 3delite MP3 Stream Editor v3 4 4 1980 WinALL.exe
- AOL Hacker 2009.exe
- Adobe Dreamweaver CS4 Keygen.exe
- Adobe Keygen.exe
- Adobe Photoshop CS3 Keygen.exe
- Adobe Photoshop CS3 patch.exe
- Adobe Photoshop CS4 Extended + Keygen + Activation.exe
- Adobe Photoshop CS4 KeyGen.exe
- Adobe Photoshop CS5 KeyGen.exe
- Adobe Photoshop Keygen.exe
- Atomix Virtual DJ v6.0.2 FINAL Professional.exe
- Autocad 2008 Crack.exe
- Autocad 2009 Crack.exe
- Autocad 2010 Crack.exe
- Autodesk 2010 Crack.exe
- Autoloader.exe
- Autorun Virus Remover v2 3 1022-Lz0.exe
- Avast AntivirusKeygen.exe
- Avira Antivirus 2010 Keygen.exe
- Avira Internet Security 2010 Keygen.exe
- Babylon 8 - Instant translation tool.exe
- Bebo/Myspace/Facebook Password Stealer.exe
- Best Movie 010.exe
- Borderlands Proper-Razor1911.exe
- Call Of Duty Modern Warfare 2 working multiplayer patch by team eloaded.exe
- Cisco VPN Keygen.exe
- CleanMyPC Registry Cleaner v4 02-TE.exe
- Counter Strike 1.7 rack.exe
- Counter Strike Source Crack.exe
- Counter-Strike KeyGen.exe
- Counter-Strike Source KeyGen.exe
- DCOM Exploit.exe
- DDOSPING.exe
- Dark DDoS Tool.exe
- DeadSpace KeyGen.exe
- DesktopCalendar.exe
- DiceRoller2 0.exe
- Diskeeper 2010 Pro Premier v14 0 900.exe
- Diskeeper 2010 Pro Premier v14 0 900t Final.exe
- DivX Pro + KeyGen.exe
- DivX Pro KeyGen.exe
- Dr Web AntiVirus v5 0 10 11260 R-EAT.exe
- Driver Genius Professional 2009 9.0.0 Build 186.exe
- Ebooks.exe
- Error Repair Professional 4 1 3 AT4RE DM999.exe
- FREEPORN.exe
- Garmin mobile xt keygen.exe
- Half-Life 2 WORKS-ON-STEAM.exe
- Hotmail Cracker.exe
- Hotmail Hacker.exe
- HotmailHacker.exe
- How-to-make-money.exe
- Kaspersky 2010 Full Suite Keygen.exe
- Kaspersky Antivirus 2011 Keygen.exe
- Kaspersky Antivirus Keygen.exe
- Kaspersky Crack.exe
- Kaspersky Internet Security 2011 Keygen.exe
- Kaspersky Internet Security Keygen.exe
- Keylogger.exe
- L0pht 4.0 Windows Password Cracker.exe
- Left4Dead-STEAM-Online-Crack-WORKS-DECEMBER08.exe
- LimeWire Pro.exe
- LimeWire.Pro.v5.4.6.1.Multilingual.Retail-ZWT.exe
- LimeWireCrack.exe
- Limewire PRO Final Edition.exe
- Limewire Pro Downloader.exe
- Limewire Speed Patch
- Loaris Trojan Remover 1.2.0 Patch.exe
- MS Office 2007 Activation KeyGen.exe
- MSN Keylogger.exe
- MSN Password Cracker.exe
- MSN Password Stealer.exe
- MSN Spammer/Nudger.exe
- MSNHacks.exe
- Magic Video Converter Keygen.exe
- Microsof Office 2010 keygen.exe
- Microsoft AutoCollage 2008.exe
- Microsoft Office 2010 Enterprise Corporate Edition.exe
- Microsoft Office Accounting Professional 2009.exe
- Microsoft Office Professional Plus x32 x64 2010.exe
- Microsoft Visual Basic 2008 KeyGen.exe
- Microsoft Visual Basic 6 KeyGen.exe
- Microsoft Visual Basic KeyGen.exe
- Microsoft Visual C++ 2008 KeyGen.exe
- Microsoft Visual C++ 6 KeyGen.exe
- Microsoft Visual C++ KeyGen.exe
- Microsoft Visual Studio 2008 KeyGen.exe
- Microsoft Visual Studio 6 KeyGen.exe
- Microsoft Visual Studio KeyGen.exe
- Microsoft Windows Home Server 2010 Build 7360.exe
- Miscrosoft Office Ultimate 2007.exe
- Movie Maker Keygen.exe
- Myspace Attack.exe
- Myspace Cracker.exe
- MyspaceBruteforce.exe
- NBA k11 Crack.exe
- NetBIOS Cracker.exe
- NetBIOS Hacker.exe
- Nod32 Antivirus Keygen.exe
- Nod32 Internet Security Keygen.exe
- Norton Anti-Virus 2010 Enterprise Keygen.exe
- Norton AntiVirus ALL VERSIONS Crack.exe
- Norton Internet Security 2010 Keygen.exe
- Partition Magic 8 Full package.exe
- PhotoShop Keygen.exe
- Photoshop CS5 Crack.exe.Adobe Photoshop Crack.exe
- Porn 2010.exe
- Porno.MPEG.exe
- Pro Evolution Soccer 2010 Crack.exe
- Pro Evolution Soccer 2011 Crack.exe
- Project 7 Private 4.8.exe
- RARPassword Recovery Magic v6 1 1 172-BEAN.exe
- RapidsharePREMIUM.exe
- Recover Keys v3 0 3 7-MAZE.exe
- Registry Cleaner Keygen.exe
- RuneScape 2009 - Newest Exploits.exe
- RuneScape 2010 - Newest Exploits.exe
- RuneScape Cracker.exe
- RuneScape Gold Exploit.exe
- SAMP GTA MultiPlayer.exe
- ScreenCapture.exe
- ScreenMelter.exe
- Setup OneCare for Windows 7.exe
- Sony Vegas Pro 9.0 Full.exe
- Spore Crack.exe
- Spore Full Patcher.exe
- Steam Account Stealer.exe
- Steam Crack.exe
- Steam KeyGen.exe
- Sub7 2.3 Private.exe
- Tcpip Patch.exe
- Trojan Killer 2.0.6.4 Patch.exe
- TuneUp 2010 Keygen.exe
- Uniture Memory Booster v6 1 0 5158-MESMERiZE.exe
- Virus Generator.exe
- Virus Maker.exe
- VistaUltimate-Crack.exe
- WOW Account Cracker.exe
- Web Dumper 3.1.1 Keygen.exe
- Website X5 Designer v7.7 WYSIWYG Website Creator.exe
- WildHorneyTeens.scr
- WinRAR 3.92 Final.exe
- WinRAR-3 91 Full + Keymaker.exe
- WinZip PRO v12.1 + Serials.exe
- Windows 2008 Server KeyGen.exe
- Windows 2009 Server working KeyGen by TeaM Reloaded.exe
- Windows 7 Keygen.exe
- Windows 7 Toolkit v1.8 activations+full suite.exe
- Windows Password Cracker.exe
- Windows Seven Keygen.exe
- Windows Vista Keygen.exe
- Windows XP Keygen.exe
- Windows XP Media Center Keygen.exe
- Windows XP Validator Crack.exe
- Wireshark.exe
- Xilisoft 3GP Video Converter v5 1 26 1231 Key.exe
- Xilisoft AVI MPEG Converter v5 1 26 1030 Keyg.exe
- Xilisoft AVI MPEG Joiner v1 0 34 1012 Keygen.exe
- Xilisoft Apple TV Video Converter v5 1 26 1030 Inc.exe
- Xilisoft BlackberryRingtone Maker v1 0 12 1204.exe
- Xilisoft Blu Ray Ripper v5 2 4 0108 Keygen.exe
- Xilisoft Burn Pro v1 0 64 0112 Keygen.exe
- Xilisoft CD Ripper v1 0 47 0904 Keygen.exe
- YIM Acker 2008.exe
- YIM HAcker 2009.exe
- YahooCracker.exe
- Yamicsoft Windows 7 Manager v1 1 8 x64.exe
- YouTube Downloader all Access.exe
- Young boy nude.scr
- Young girl and boy sex.scr
- Young girl nude.scr
- Young girl nude.scr teen sex.scr
- Youtube Account Cracker.exe
- cute dogs screensaver.exe
- facebook for dummies.exe
- fuckshitcunt.scr
- headjobs.scr
- ilovetofuck.scr
- image.scr
- kaspersky license key 2010.exe
- office 2007 activation.exe
- older man and young boy.scr
- paris-hilton.scr
- paypal hack 2010.exe
- porno.scr
- redsn0w-win 0 8.exe
- screensaver.scr
- sdbot with NetBIOS Spread.exe
- teen sex.scr
- young girl first time.scr