WORM_SDBOT.SPS

This worm arrives via peer-to-peer (P2P) shares. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This worm arrives via peer-to-peer (P2P) shares.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This worm drops the following copies of itself into the affected system:

• %Windows%\test.exe

(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• SystemUtil

It injects itself into the following processes as part of its memory residency routine:

• TASKMGR.EXE

It terminates itself if it finds the following processes in the affected system's memory:

• zlclient.exe

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
test = "test.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Terminal Server\
Install\Software\Microsoft\
Windows\CurrentVersion\Run
test = "test.exe"

Other System Modifications

This worm creates the following registry entry(ies) to bypass Windows Firewall:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
{malware path}\{malware name}.exe = "{malware path}\{malware name}.exe:*:Enabled:test"

Backdoor Routine

This worm connects to any of the following IRC server(s):

• irc.{BLOCKED}e.com

NOTES:

This worm drops copies of itself in the following folders used in peer-to-peer networks:

• {folder path}\kazaa\my shared folder\
• {folder path}\kazaa lite\my shared folder\
• {folder path}\kazaa lite k++\my shared folder\
• {folder path}\icq\shared folder\
• {folder path}\grokster\my grokster\
• {folder path}\bearshare\shared\
• {folder path}\edonkey2000\incoming\
• {folder path}\emule\incoming\
• {folder path}\morpheus\my shared folder\
• {folder path}\limewire\shared\
• {folder path}\tesla\files\
• {folder path}\winmx\shared\

The folder path mentioned above is obtained by checking the following registry entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
%Program Files% = "{folder path}"

It uses the following file names for the copies it drops in the folders mentioned above:

• Bebo/Myspace/Facebook Password Stealer.exe
• Counter Strike Source Crack.exe
• Dark DDoS Tool.exe
• DCOM Exploit.exe
• DivX Pro + KeyGen.exe
• Hotmail Cracker.exe
• Hotmail Hacker.exe
• Kaspersky Crack.exe
• Keylogger.exe
• L0pht 4.0 Windows Password Cracker.exe
• Limewire PRO Final Edition.exe
• Microsoft Visual Basic KeyGen.exe
• Microsoft Visual C++ KeyGen.exe
• Microsoft Visual Studio KeyGen.exe
• MSN Keylogger.exe
• MSN Password Cracker.exe
• MSN Password Stealer.exe
• MSN Spammer/Nudger.exe
• NetBIOS Cracker.exe
• NetBIOS Hacker.exe
• Norton AntiVirus ALL VERSIONS Crack.exe
• older man and young boy.scr
• SAMP GTA MultiPlayer.exe
• sdbot with NetBIOS Spread.exe
• Spore Crack.exe
• Spore Full Patcher.exe
• Steam Crack.exe
• Steam KeyGen.exe
• Sub7 2.3 Private.exe
• teen sex.scr
• Windows Password Cracker.exe
• Windows XP Validator Crack.exe
• Young boy nude.scr
• Young girl and boy sex.scr
• young girl first time.scr
• Young girl nude.scr
• Youtube Account Cracker.exe

This worm terminates itself if the user name of the currently logged on user is any of the following:

• currentuser
• honey
• sandbox
• vmware