W32/Sdbot.worm.gen.ax​!EBBC416B

This page shows details and results of our analysis on the malware W32/Sdbot.worm.gen.ax!EBBC416B

Overview

This malware binary is a IRC controlled backdoor, which provides an attacker with unauthorized remote access to the compromised computer. An attacker can gain control over the compromised computer and use it to launch a DDos attack on internet systems.

There are multiple versions of the W32/Sdbot family of worms that use IRC (Internet Relay Chat) as a command and control mechanism. Such worms typically use exploits and weak password to spread to vulnerable machines on the network.

File Information:

  • File Size - 188416 bytes
  • MD5 - EBBC416B11C568791EDB7DC1489D9479
  • SHA1 - 6EB79BC18001A29619E98FF2D66662AF5C7FD244

Aliases:

  • BitDefender - Trojan.Generic.2267731
  • Comodo - NetWorm.Win32.Kolabc.ae0
  • Kaspersky - Net-Worm.Win32.Kolabc.ae
  • Microsoft - Backdoor:Win32/Rbot.gen!G


Minimum Engine

5600.1067

File Length

Varies

Description Added

2007-03-12

Description Modified

2010-01-14

Malware Proliferation

Characteristics

This worm bears the following characteristics:

Propagates to machines with poorly secured network shares (weak username/password combinations) or accessible share (where local credentials are sufficient to write files to other systems)

Propagates to remote machines by attempting to copy itself to a number of shares

Provides a backdoor to the victim machine, thereby compromising data on that machine (significant remote access functionality is available to the hacker)

It uses the following exploit to propagate across vulnerable networks "Exploit.FTPD"

Exploit.FTPD attempts to exploit remote machines using a multitude of embedded exploits in order to propagate across a network. Upon a successful attack, it will report this back to its author on a predefined IRC server/channel.

Upon execution the worm copies itself to the following system location:

  • %WinDir%\wmssvc.exe

On execution, the worm deletes itself from its current location and copies itself in %Windir% as wmssvc.exe. It then registers itself as a service by creating the following registry key(s):

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NET Service\

and has the following service characteristics:

  • ImagePath: ""%WirDir%\wmssvc.exe""
  • DisplayName: "NET Service"
  • Description: "Enables NET messages issued by Windows based programs and components. This service cannot be stopped."

The following registry entries have been added:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Windows File Protection
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile

The following registry entries have been modified:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Windows File Protection\SFCDisable

The above mentioned registry entry confirms that the malware binary modifies the registry entry to disable Windows File Protection.

Disables the following services:

  • Telnet
  • Security Center
  • Remote Registry
  • Messenger

This worm also lowers windows security settings by performing the following registry modifications:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify: 0x00000001
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride: 0x00000001
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride: 0x00000001
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify: 0x00000001
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify: 0x00000001

The above mentioned registry entries confirms that the malware disables the compromised user system Firewall, Anti Virus software installed, Automatic Windows updates.

The malware binary also prevents windows updates from installing Windows XP Service Pack 2 by using:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotAllowXPSP2: 0x00000001

Disables automatic creation of hidden shares on reboot using the following registry entry:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters\AutoShareWks: 0x00000000

Disables automatic updates using the following registry entry:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\AUOptions: 0x00000001

Actions that the worm may perform on receiving appropriate commands from the remote attacker include:

Enumerate active process and threads on infected computer :

  • Start, stop and hide processes and threads
  • Open a local web server
  • Port scan IP addresses in a specified subnet to identify possible targets for infection
  • Open backdoor at a specified port
  • Transfer files
  • Spread via MIRC
  • Update itself
  • Restart infected machine
  • Sniff network traffic
  • Create, delete and try to spread via network shares
  • Spread via AOL Instant Messenger

The malware binary also monitors user browser activity and steals login credentials and pin information if following strings are present in the browsed domain name, some of them are as follows:

  • sandbox.norman.com
  • norman.com
  • castlecops.com
  • castlecop
  • rootkit.com
  • WindowsLiveTranslator.com
  • download.com
  • walmart.com
  • amazon.com
  • redhat.com
  • debian.org
  • ubuntu.org
  • majorgeeks.com
  • gmail.com
  • hotmail.com
  • msdn.com
  • msn.com
  • mamboserver.com
  • php.org
  • php.net
  • mysql.com
  • softpedia.com
  • symantec.com
  • kaspersky
  • f-secure
  • norman
  • mcafee
  • afraid.org
  • paypal.com
  • ebay.com
  • 110mb.com
  • livejournal.com
  • youtube.com
  • blogspot.com
  • nabble.com
  • myspace.com
  • dyndns.org
  • dyndns.com
  • unixtool.com
  • linuxrocket.net
  • secwatch.org
  • secunia.com
  • securityfocus.com
  • xfocus.com
  • sourceforge.net
  • orkut
  • wordpress.com
  • blog.com
  • blogger.com
  • overture.com
  • about.com
  • answers.com
  • altavista.com
  • msnscache.com
  • webcrawler.com
  • g.live.com
  • live.com

This worm contains a list of other services that it will attempt to terminate, including both malware and security-related applications:

  • TROJANTRAP3.EXE
  • OLLYDBG.EXE
  • LORDPE.EXE
  • AVP32.EXE
  • AUTOUPDATE.EXE
  • NORTON32.EXE
  • PANDA32.EXE
  • PROCEXP.EXE
  • REGMON.EXE
  • TCPMON.EXE
  • TCPVIEW.EXE
  • VMWARE-AUTHD.EXE
  • VMWARE.EXE
  • CTFMOM.EXE
  • WINCMD.EXE
  • NETLOGON.EXE
  • BLING.EXE
  • CRSSR.EXE
  • i11r54n4.exe
  • PandaAVEngine.exe
  • TaskMon
  • sysinfo.exe
  • Penis32.exe
  • Microsoft Inet Xp
  • winsys.exe

The malware binary try to steal the game passwords and send those information to the remote attacker, some of them are as follows:

  • Call of Duty 2
  • Quake 4
  • Neverwinter Nights (Hordes of the Underdark)
  • Neverwinter Nights (Shadows of Undrentide)
  • Shogun Total War
  • Battlefield Vietnam
  • Battlefield 1942
  • Battlefield 2142
  • Counter-Strike 1.6
  • Half-Life

Symptoms

  • Presence of above mentioned registry entries and files
  • Presence of above mentioned behavior.

Method of Infection

Trojans do not self-replicate. They spread manually, often under the premise that the executable is something beneficial. They may also be received as a result of poor security practices, or un-patched machines and vulnerable systems.

Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants