W32/Sdbot.worm.gen.ch

This page shows details and results of our analysis on the malware W32/Sdbot.worm.gen.ch

Download Current DAT: 6617

Threat Detail

Malware Type: Virus

Malware Sub-type: Generic Worm

Discovery Date: 2007-09-20

Next Steps:

Overview
Characteristics
Symptoms
Method of Infection
Removal

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. This virus is an IRC bot, which spreads between systems by exploiting vulnerabilities or poor username/password administration.

Minimum DAT

5124 (2007-09-20)

Updated DAT

5210 (2008-01-17)

Minimum Engine

4.4.00

File Length

Varies

Description Added

2007-09-20

Description Modified

2007-10-22

Malware Proliferation

Characteristics

Due to the large volume of members of this virus family, the size of extra.dats required to detect these is very large. AVERT have therefore split the detection into multiple drivers although the behavior of all members is broadly similar.

Please review the W32/Sdbot.worm.gen description for more detailed information.

The following information is for a single variant of this family.

Spreading Component

This variant may try to spread by a number of IM platforms (AIM, ICQ, Yahoo, MSN), by spamming all contacts with a link which appears to be for Google, but which is in fact redirected to a remote, malicious site. It also scans for systems which are vulnerable to MS03-039 and MS06-040 exploits.

This variant also scans systems for the following list of usernames and passwords:

www
windows
web
visitor
test2
test1
test
temp
telnet
ruler
remote
real
random
qwerty
public
pub
private
poiuytre
password
passwd
pass
oracle
one
nopass
nobody
nick
newpass
new
network
monitor
money
manager
mail
login
internet
install
hello
guest
go
free
demo
default
debug
database
crew
computer
coffee
bin
beta
backup
backdoor
anonymous
anon
alpha
adm
access
abc123
abc
system
sys
super
sql
shit
shadow
setup
security
secure
secret
123456789
12345678
1234567
123456
12345
1234
123
12
00000000
0000000
000000
00000
0000
000
00
0
server
asdfgh
admin
root
sa

Installation

When run, this variant copies itself to the DLLCache folder in the Windows System directory as Svehost.exe

c:\WINDOWS\system32\dllcache\svehost.exe

It also creates the following registry entries, to set itself as a service:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MICROSOFT_AGENT
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Microsoft Agent

Symptoms

Presence of the file and registry entries referenced previously

Method of Infection

This worm attempts to spread via spammed links in IM messages, or by exploiting systems with vulnerabilities (MS03-039 and MS06-040) or which have poor username/password administration.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

But in some particular cases, the following steps need to be taken.

Please go to the Microsoft Recovery Console and restore a clean MBR.

On Windows XP:

Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password.
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions.
Reset and remove the CD from CD-ROM drive.

On Windows Vista and 7:

Insert the Windows CD into the CD-ROM drive and restart the computer.
Click on "Repair Your Computer".
When the System Recovery Options dialog comes up, choose the Command Prompt.
Issue 'bootrec /fixmbr' command to restore the Master Boot Record.
Follow onscreen instructions.
Reset and remove the CD from CD-ROM drive.