Proactive IT security

SDBot

SDBot

Threat risk

Threat risk low
Laatste gepubliceerde virusdetectiebestand:
Description created:
2004-04-22
Description updated:
2004-04-22
Malware soorten:
Worm
Alias:
Spreading mechanism
Network
Payload:
Backdoor/DoS

Summary

SDBots are worms that propagate via network shares. They also contain backdoor functionality, which connects to an IRC channel and waits for commands.
 

Because of the similarities between many of the SDBot variants this is a generic desciption.

Spreading description

When an SDBot is executed it will copy itself to the %SYSTEM% directory and create a registry value in either or both of the following registry keys to ensure it is started with Windows:
 
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
 
A selection of filenames used by SDBots are:
  • dosnet.exe (W32/SDBot.JN)
  • wupdated.exe (W32/SDBot.JP)
  • winsys32.exe (W32/SDBot.JQ)
  • msserv.exe (W32/SDBot.JS)
  • comport.exe (W32/SDBot.JT)
  • lmss.exe (W32/SDBot.JU)
  • AntiVirus32.exe (W32/SDBot.JV)
  • msgfix.exe (W32/SDBot.JX & .QF)
  • win32server.exe (W32/SDBot.JY)
  • pown.exe (W32/SDBot.KF)
  • intcp32.exe (W32/SDBot.KK)
  • iexplore.exe (W32/SDBot.KL)
  • MSNHome.exe (W32/SDBot.KM)
  • mgnwin32.exe (W32/SDBot.KN)
  • vbxpl.exe (W32/SDBot.KO)
  • mrvdwwx.exe (W32/SDBot.KP)
  • iexplorers.exe (W32/SDBot.KQ)
  • SpoolServ.exe (W32/SDBot.KS)
  • winboot32.exe (W32/SDBot.QC)
  • winlord32.exe (W32/SDBot.QD)
  • symantec32.exe (W32/SDBot.QE)
  • MSCFG.exe (W32/SDBot_based)
  • netcfg32.exe (W32/SDBot_based)
  • I1Eexplore.exe (W32/SDBot_based)
  • iEEexplore.exe (W32/SDBot_based)
  • ms32sys.exe (W32/SDBot_based)
  • wsock32p.exe (W32/SDBot_based)
A selection of registry values used by SDBots are:
  • Dos Mode (W32/SDBot.JN)
  • Configuration Loaded (W32/SDBot.JP)
  • Configuration Loader (W32/SDBot.JQ)
  • Microsoft Service (W32/SDBot.JS)
  • Microsoft Com Port Manager (W32/SDBot.JT)
  • load (W32/SDBot.JU)
  • Windows Anti-Virus Built 32 (W32/SDBot.JV)
  • configuration loader (W32/SDBot.JW)
  • Configuration Loader (W32/SDBot.JX & .QF)
  • Winsock32driver (W32/SDBot.JY)
  • Microsoftx (W32/SDBot.KF)
  • Threaded (W32/SDBot.KK)
  • Configuration Loader (W32/SDBot.KL)
  • MSN Home Page (W32/SDBot.KM)
  • RandomWin32 (W32/SDBot.KN)
  • Configurations Loader (W32/SDBot.KO)
  • MyICQN (W32/SDBot.KP)
  • iexplorers loader (W32/SDBot.KQ)
  • Microsoft DirectX (W32/SDBot.KS)
  • Win32 Boot System (W32/SDBot.QC)
  • Windows Lord Anti-Virus (W32/SDBot.QD)
  • Symantec Security (W32/SDBot.QE)
  • Microsoft Configuration (W32/SDBot_based)
  • Network Card Driver Loader (W32/SDBot_based)
  • Config Loadatorin (W32/SDBot_based)
  • Config Loadation (W32/SDBot_based)
  • systemdrv (W32/SDBot_based)
  • WSock32 Protocol (W32/SDBot_based)
SDBots spread via network shares by brute forcing weak passwords if possible. When successful in copying itself to a remote share an SDBot will schedule a network task to infected the machine.

Threat description

SDBots contain a backdoor element that will join an IRC channel and wait for commands. They usually connect to an IRC sever using a high port number. Depending on what command an SDBot receives it may perform one of the following tasks:
 
  • Perform a DoS attack using SYN floods, UDP packets or ping of death.
  • Update itself.
  • Send CPU details, memory statistics or running thread information to the attacker.
  • Join another IRC channel, change its NICK or logout of the channel.
  • Download or upload files.
  • Launch executables.
  • Scan the network and infect NT based machines.
 
SDBots also attempt to terminate running processes associated with anti-virus/firewall software.

Removal

Norman currently detects hundreds of SDBot variants, whilst Norman Sandbox detects the majority of new SDBots as W32/Malware.

General information about removal of malicious software

Norman's antivirus products are in general able to remove all malicious software that is detected.
Some malware, however, uses techniques that the general product does not remove sufficiantly. We have therefore developed the free product Norman Malware Cleaner. Please use the latest version of this program from the link below - if your Norman antivirus is unable to clean-up the infection.

Medium Titel Opmerking
  Stopping network share infectors  
  Het opschonen van back-up mappen onder Windows Me en XP  
Print pagina