W32/SDBot.FO!worm
Analysis
Specifics
This virus is 32 bit with a packed file size of 123,168
bytes. This virus implements an exploit against LSASS.EXE
in order to gain access to and infect target systems.
This virus can terminate applications matching a hard-coded
list of names.
Loading At Windows Startup
The virus will copy itself to the local system into
the drivers folder as "smsc.exe" and set a
registry entry to load the virus as a service at each
Windows startup -
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\
"Win32 USB2 Driver" = smsc.exe
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce\
"Win32 USB2 Driver" = smsc.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
"Win32 USB2 Driver" = smsc.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\
"Win32 USB2 Driver" = smsc.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
"Win32 USB2 Driver" = smsc.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\
"Win32 USB2 Driver" = smsc.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\
"Win32 USB2 Driver" = smsc.exe
The virus creates additional keys to ensure the virus loads as a service on Win2K/WinNT -
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Microsoft
Config
"DeleteFlag" = 01, 00, 00, 00
"DisplayName" = Win32 USB2 Driver
"ErrorControl" = 01, 00, 00, 00
"FailureActions" = ( hex codes )
"ImagePath" = "C:\WINNT\System32\smsc.exe"
-netsvcs
"ObjectName" = LocalSystem
"Start" = 04, 00, 00, 00
"Type" = 20, 00, 00, 00
LSASS Infection Method
The virus may attempt to seek other machines on a network
and attempt to penetrate them using a known exploit
against LSASS.EXE. Systems which are not patched with
a minimum security patch of MS04-011 are vulnerable
to this attack.
IRC Server Connection
This virus will try to connect with an IRC server located
at the IP address 219.248.79.162 using TCP port 6667.
Once connected, the virus will await commands from a
malicious user which could include scanning for new
targets, rebooting the system and other commands.
Recommended Action
- Check the main screen using the web interface for
your FortiGate unit to ensure that the latest AV/NIDS
database has been downloaded and installed on your
system - if required, enable the "Allow Push
Update" option
- Using the FortiGate manager, add the IP 219.248.79.162 to the list URLs to block
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |