W32/Sdbot.worm.gen.ax​!EBBC416B

This worm bears the following characteristics:

Propagates to machines with poorly secured network shares (weak username/password combinations) or accessible share (where local credentials are sufficient to write files to other systems)

Propagates to remote machines by attempting to copy itself to a number of shares

Provides a backdoor to the victim machine, thereby compromising data on that machine (significant remote access functionality is available to the hacker)

It uses the following exploit to propagate across vulnerable networks "Exploit.FTPD"

Exploit.FTPD attempts to exploit remote machines using a multitude of embedded exploits in order to propagate across a network. Upon a successful attack, it will report this back to its author on a predefined IRC server/channel.

• %WinDir%\wmssvc.exe

On execution, the worm deletes itself from its current location and copies itself in %Windir% as wmssvc.exe. It then registers itself as a service by creating the following registry key(s):

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NET Service\

and has the following service characteristics:

• ImagePath: ""%WirDir%\wmssvc.exe""
• DisplayName: "NET Service"
• Description: "Enables NET messages issued by Windows based programs and components. This service cannot be stopped."

The following registry entries have been added:

• HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
• HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Windows File Protection
• HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall
• HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
• HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile

The following registry entries have been modified:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Windows File Protection\SFCDisable

The above mentioned registry entry confirms that the malware binary modifies the registry entry to disable Windows File Protection.

Disables the following services:

• Telnet
• Security Center
• Remote Registry
• Messenger

This worm also lowers windows security settings by performing the following registry modifications:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify: 0x00000001
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride: 0x00000001
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride: 0x00000001
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify: 0x00000001
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify: 0x00000001

The above mentioned registry entries confirms that the malware disables the compromised user system Firewall, Anti Virus software installed, Automatic Windows updates.

The malware binary also prevents windows updates from installing Windows XP Service Pack 2 by using:

• HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotAllowXPSP2: 0x00000001

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters\AutoShareWks: 0x00000000

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\AUOptions: 0x00000001

Actions that the worm may perform on receiving appropriate commands from the remote attacker include:

Enumerate active process and threads on infected computer :

• Start, stop and hide processes and threads
• Open a local web server
• Port scan IP addresses in a specified subnet to identify possible targets for infection
• Open backdoor at a specified port
• Transfer files
• Spread via MIRC
• Update itself
• Restart infected machine
• Sniff network traffic
• Create, delete and try to spread via network shares
• Spread via AOL Instant Messenger

The malware binary also monitors user browser activity and steals login credentials and pin information if following strings are present in the browsed domain name, some of them are as follows:

• sandbox.norman.com
• norman.com
• castlecops.com
• castlecop
• rootkit.com
• WindowsLiveTranslator.com
• download.com
• walmart.com
• amazon.com
• redhat.com
• debian.org
• ubuntu.org
• majorgeeks.com
• gmail.com
• hotmail.com
• msdn.com
• msn.com
• mamboserver.com
• php.org
• php.net
• mysql.com
• softpedia.com
• symantec.com
• kaspersky
• f-secure
• norman
• mcafee
• afraid.org
• paypal.com
• ebay.com
• 110mb.com
• livejournal.com
• youtube.com
• blogspot.com
• nabble.com
• myspace.com
• dyndns.org
• dyndns.com
• unixtool.com
• linuxrocket.net
• secwatch.org
• secunia.com
• securityfocus.com
• xfocus.com
• sourceforge.net
• orkut
• wordpress.com
• blog.com
• blogger.com
• overture.com
• about.com
• answers.com
• altavista.com
• msnscache.com
• webcrawler.com
• g.live.com
• live.com

• TROJANTRAP3.EXE
• OLLYDBG.EXE
• LORDPE.EXE
• AVP32.EXE
• AUTOUPDATE.EXE
• NORTON32.EXE
• PANDA32.EXE
• PROCEXP.EXE
• REGMON.EXE
• TCPMON.EXE
• TCPVIEW.EXE
• VMWARE-AUTHD.EXE
• VMWARE.EXE
• CTFMOM.EXE
• WINCMD.EXE
• NETLOGON.EXE
• BLING.EXE
• CRSSR.EXE
• i11r54n4.exe
• PandaAVEngine.exe
• TaskMon
• sysinfo.exe
• Penis32.exe
• Microsoft Inet Xp
• winsys.exe

The malware binary try to steal the game passwords and send those information to the remote attacker, some of them are as follows:

• Call of Duty 2
• Quake 4
• Neverwinter Nights (Hordes of the Underdark)
• Neverwinter Nights (Shadows of Undrentide)
• Shogun Total War
• Battlefield Vietnam
• Battlefield 1942
• Battlefield 2142
• Counter-Strike 1.6
• Half-Life

• Presence of above mentioned registry entries and files
• Presence of above mentioned behavior.

Trojans do not self-replicate. They spread manually, often under the premise that the executable is something beneficial. They may also be received as a result of poor security practices, or un-patched machines and vulnerable systems.

Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc.

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations