This malware binary is a IRC controlled backdoor, which provides an attacker with unauthorized remote access to the compromised computer. An attacker can gain control over the compromised computer and use it to launch a DDos attack on internet systems.
There are multiple versions of the W32/Sdbot family of worms that use IRC (Internet Relay Chat) as a command and control mechanism. Such worms typically use exploits and weak password to spread to vulnerable machines on the network.
This worm bears the following characteristics:
Propagates to machines with poorly secured network shares (weak username/password combinations) or accessible share (where local credentials are sufficient to write files to other systems)
Propagates to remote machines by attempting to copy itself to a number of shares
Provides a backdoor to the victim machine, thereby compromising data on that machine (significant remote access functionality is available to the hacker)
It uses the following exploit to propagate across vulnerable networks "Exploit.FTPD"
Exploit.FTPD attempts to exploit remote machines using a multitude of embedded exploits in order to propagate across a network. Upon a successful attack, it will report this back to its author on a predefined IRC server/channel.
Upon execution the worm copies itself to the following system location:
On execution, the worm deletes itself from its current location and copies itself in %Windir% as wmssvc.exe. It then registers itself as a service by creating the following registry key(s):
and has the following service characteristics:
The following registry entries have been added:
The following registry entries have been modified:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Windows File Protection\SFCDisable
The above mentioned registry entry confirms that the malware binary modifies the registry entry to disable Windows File Protection.
Disables the following services:
This worm also lowers windows security settings by performing the following registry modifications:
The above mentioned registry entries confirms that the malware disables the compromised user system Firewall, Anti Virus software installed, Automatic Windows updates.
The malware binary also prevents windows updates from installing Windows XP Service Pack 2 by using:
Disables automatic creation of hidden shares on reboot using the following registry entry:
Disables automatic updates using the following registry entry:
Actions that the worm may perform on receiving appropriate commands from the remote attacker include:
Enumerate active process and threads on infected computer :
The malware binary also monitors user browser activity and steals login credentials and pin information if following strings are present in the browsed domain name, some of them are as follows:
This worm contains a list of other services that it will attempt to terminate, including both malware and security-related applications:
The malware binary try to steal the game passwords and send those information to the remote attacker, some of them are as follows:
Trojans do not self-replicate. They spread manually, often under the premise that the executable is something beneficial. They may also be received as a result of poor security practices, or un-patched machines and vulnerable systems.
Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc.