McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
Business Home McAfee Labs Threat Intelligence

W32/Sdbot.worm

This page shows details and results of our analysis on the malware W32/Sdbot.worm

Threat Detail

Malware Type: Virus

Malware Sub-type: Internet Worm

Discovery Date: 2003-04-10

Next Steps:

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.


Minimum DAT

4258 (2003-04-16)

Updated DAT

6601 (2012-01-26)

 Minimum Engine

5.1.00

File Length

Varies

 Description Added

2003-07-01

Description Modified

2009-03-24

Malware Proliferation

Characteristics

-- Update March 24, 2009 --

A new variant was seen today (detected as W32/Sdbot.worm.gen.t). This variant drops the following file in the c:\windows\system folder

  • msddll.exe

It creates services that point to this file. The following are the registry keys.

  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msddll
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msddll

The worm attempts to spread by scanning the subnet over port 445 looking for vulnerable hosts.

Network connections to the following domain was observed:

  • ak3jad.com

-- Update February 2, 2005 --
These SDBot names vary considerably, but regularly try to look similar to other legitimate Windows executable names, so that a user viewing the Task Manager might assume that the names listed are valid.

Some example filenames (but not all) seen by AVERT include:

amdpatchB.exe
cmst32.exe
hcgnwlmqge.exe

hjkds.exe
hlcbome.exe
iexplore.exe

jxsrwb.exe

kveuto.exe
ms.exe
msgfix.exe
msgfix1.exe
msmon32.exe
msmon32b.exe
msnmssgs.exe
mstasks.exe
nav32.exe

ns32.exe
rssdd.exe
spool.exe
spoolserv.exe
spoolsvc.exe
svchosst.exe
svcnet.exe
svhosint32.exe
syntwin32.exe

system.exe
system03.exe
Systmesy.exe
taskmngr.exe
unreal.exe
wc.exe
WindowsSys32.exe
WINL0G0N.exe
winudap.exe
winumc.exe
winupdate32.exe
wsndlg32.exe
wuamagrd.exe
wuamgrd.exe
wuamgrd2.exe
wuamgrdk.exe
wvsvc.exe

-- Update August 11, 2004 --
There are now over 4000 variants of this threat, many of which were proactively detected, and this number continues to grow at a rapid rate. 

AVERT is constantly enhancing generic detection for this family. To ensure you have appropriate protection please do use the latest DATs, latest engine and do not disable scanning of packed executable files.

-- Update April 6, 2004 --
There are now over 700 variants of this trojan-turned worm.  Multiple new variants are discovered each week.  They vary in file size and name.

This detection is for worms that are based on the IRC-Sdbot trojan code. The source code for the IRC-Sdbot trojan was published on the Internet some time ago, and a number of worms are based on the same code. The following detections exist for such worms:

  • W32/Sdbot.worm
  • W32/Sdbot.worm.gen
  • W32/Sdbot.worm.gen.b

Due to their origins, such worms are often proactively detected as IRC-Sdbot with the 4258+ DAT files. Users are recommended to ensure the scanning of compressed files is enabled to maximise proactive detection.

These worms typically spread via network shares and create a remote access point for attackers to exploit.

Some variants can take advantage of the following vulnerabilites:

  • DCOM RPC vulnerability (MS03-026)
  • WEBDAV vulnerability  (MS03-007)
  • LSASS vulnerability (MS04-011)
  • ASN.1 vulnerability (MS04-007)
  • Workstation Service vulnerability (MS03-049)
  • PNP vulnerability (MS05-039)
  • Imail IMAPD LOGIN username vulnerability
  • Cisco IOS HTTP Authorization Vulnerability

    There are some variants which use a combination of the above vulnerabilites during their attack on the system.

    The description below is specific to one such worm, but the characterisitics are typical for many other variants. (Exact filename and Registry key names may change of course.)

    When run, it copies itself to the WINDOWS SYSTEM (%SysDir% ) directory and creates two registry run keys to load the worm at system startup:

    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
      CurrentVersion\Run "Services Host" = scchost.exe
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
      CurrentVersion\RunServices "Services Host" = scchost.exe

    Network Propagation

    The worm's file share propagation relies on target systems being accessible for one of two reasons:
    1. Poor security on target systems
    2. The credentials of the user logged on to an infected system are sufficient to access other systems on the network

    The worm scans random IP subnets for machines present on the network. Once a system is found, the worm tries to connect to the 'C$' and/or 'C' shares on that machine. The following accounts are used for the connection (with no passwords):

    • Administrator
    • Owner
    • Guest

    NOTE: The virus assumes the privileges of the currently authenticated user. If a blank password is insufficient on the target system, the current credentials could be sufficient to gain access on a remote system.

    Some variants also try additional administrative shares such as D$, E$, IPC$, Print$ and Admin$, and contain within them a list of common usernames/passwords to use to gain access to password-protected shares.

    If successful, the worm will copy itself onto that share in one of the following locations (i.e. the Windows Startup folder):

    • C:\WINNT\Profiles\All Users\Start Menu\Programs\Startup
    • C:\WINDOWS\Start Menu\Programs\Startup
    • C:\Documents and Settings\All Users\Start Menu\Programs\Startup
    • \WINNT\Profiles\All Users\Start Menu\Programs\Startup
    • \WINDOWS\Start Menu\Programs\Startup
    • \Documents and Settings\All Users\Start Menu\Programs\Startup
    Finally, the worm attempts to execute the copied file by calling the NetScheduleJobAdd function.

    Remote Access Trojan

    The worm connects to an IRC channel and server and waits for instructions. A remote attacker can use the trojan to perform various tasks:
    • Gather system information (CPU, Driver Space, RAM, OS Version, User name, Computer name, IP Address)
    • Run IRC commands (Join channels, send messages)
    • SYN Flood others
    • Kill processes
    • Download files
    • Execute files

    Symptoms

    The worm disables default admin shares (such as C$, D$, and Admin$) on WinNT/2K/XP systems by setting two registry key values:
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
      lanmanserver\parameters "AutoShareServer" = DWORD:0
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
      lanmanserver\parameters "AutoShareWks" = DWORD:0
    A registry key is set to disable the enumeration of shares during a null sesssion:
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\
      Lsa "restrictanonymous" = DWORD:1
    An indication of infection is outbound IP traffic to the server IRC.DOTBLUE.ORG on TCP port 6667

    Method of Infection

    The exact method of propagation will vary between variants. However, the following characteristics are typical:

    Share Propagation

    The worm propagates via accessible or poorly-secured network shares, and some variants are intended to take advantage of high profile exploits:

    When it attempts to spread through default administrative shares, for example:

    • PRINT$
    • E$
    • D$
    • C$
    • ADMIN$
    • IPC$

    Some variants also carry a list of poor username/password combinations to gain access to these shares.

    Weak Passwords and Configurations

    Several variants are known to probe MS SQL servers for weak administrator passwords and configurations. When successful, the virus could execute remote system commands via the SQL server access.

    Removal

    All Users:
    Use specified engine and DAT files for detection and removal of virus and trojan files related to this threat.

    Many share jumping viruses rely on weak usernames/passwords. They attempt to gain administrative rights by using a dictionary-style attack, trying usernames like "admin" or "administrator" and passwords like "admin" or "123456". Beyond such weak usernames/passwords many can use the credentials of the local user. Meaning that if a super-administrator, or domain-admin logs on to an infected system or becomes infected, the virus will have access to all systems within its "reach". Such worms often rely on the presence of default, admin shares. It is a good idea to remove the administrative shares (C$, IPC$, ADMIN$) on all systems to prevent such spreading. A simple batch file containing the following commands may be of help, especially when run from a logon script, or placed in the startup folder.
    • net share c$ /delete
    • net share d$ /delete
    • net share e$ /delete
    • net share ipc$ /delete
    • net share admin$ /delete

    Additional Windows ME/XP removal considerations

    Variants

    United States - English