Ads

W32/Sdbot.worm!4990c306 PDF Print E-mail
Wednesday, 04 October 2006

Overview:

W32/Sdbot.worm!4990c306 is an IRC controlled backdoor, which provides an attacker with unauthorized remote access to the compromised computer.  An attacker can gain control over the compromised computer and use it to launch a DDos attack on internet systems. There are multiple versions of the W32/Sdbot family of worms that use IRC (Internet Relay Chat) as a command and control mechanism. Such worms typically use exploits and weak password to spread to vulnerable machines on the network.

 

This threat is identified as W32/Sdbot.worm.gen.h with the 4865 DAT files.

When run, the worm installs itself into the following filepath.

  • %SYSTEMDIR%\dllcache\mssecure32.exe

The following registry keys are added to run itself on reboot.

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Microsoft Security Login Service
    "Description" = "Microsoft Security Login Service."
    "DisplayName" = "Microsoft Security Login Service
    "ErrorControl" = 0
    "FailureActions" = (binary registy data)
    "ImagePath" = "%SYSTEMDIR%\dllcache\mssecure32.exe "
    "ObjectName" = "LocalSystem"
    "Start" = 2
    "Type" = 32
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Microsoft Security Login Service
    "Description" = "Microsoft Security Login Service."
    "DisplayName" = "Microsoft Security Login Service
    "ErrorControl" = 0
    "FailureActions" = (binary registy data)
    "ImagePath" = "%SYSTEMDIR%\dllcache\mssecure32.exe "
    "ObjectName" = "LocalSystem"
    "Start" = 2
    "Type" = 32

The following DCOM registry keys are modified:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
    "EnableDCOM" = N
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
    "lmcompatibilitylevel" = 1
    "restrictanonymous" = 1
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa
    "restrictanonymous" = 1
    "lmcompatibilitylevel" = 1

The following registry keys are also modified

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent
    "(Default)" = 10
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent
     "(Default)" = 10
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess
    "Start" = 4
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wuauserv
    "Start" = 4

The worm attempts to connect the following remote IRC Server via TCP and waits commands
from a remote attacker.

  • mang.smoke[removed].com port:4512

The worm also opens a random TCP port.

 

Symptoms: 

The worm terminates the following processes.

  • Ad-aware
  • spyware
  • hijack
  • kav
  • proc
  • kill
  • sniff
  • norton
  • mcafee
  • f-pro
  • lockdown
  • firewall
  • blackice
  • vg
  • vsmon
  • zonea
  • spybot
  • nod32
  • eged
  • avp
  • troja
  • viru
  • anti

Mehotd of Infection:

Users may be lured (such as through spam or spim) to visit a malicious site.  Upon loading the web page, a vulnerable web browser will crash.

 

Removal: 

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

 

 
 
< Prev   Next >
[ Back ]