W32/SDBot.JW!worm

description-logoAnalysis

Specifics
This virus is 32-bit with a packed file size of 101,446 bytes. This virus contains code to send itself to others, and also connect to an IRC server using TCP port 6667. The virus will auto-run at each Windows startup via three registry entries -

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
"Mozilla Firefox v0.901" = netconfig.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
"Mozilla Firefox v0.901" = netconfig.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\
"Mozilla Firefox v0.901" = netconfig.exe


Target Seek
This virus will begin sending SYN packets to random IP addresses in hopes of receiving an ACK reply. Systems which respond become targets for the virus as it attempts to log onto the responding system using a dictionary attack of logon id and password. If a system becomes breached, the virus will copy itself to that system and remotely execute it as "netconfig.exe".


IRC Communique
The virus will connect to the IRC server IP address 216.234.253.28 and join the channel "#boom". Once connected, the virus sends a private message to the chat user "boom" various status messages related to the functions being performed by the virus. For instance, during the initial IP scanning phase, the virus will send a note to the virus author with this content -

"Starting scan of NT-pass"


recommended-action-logoRecommended Action

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
  • Block external to internal traffic using TCP ports 139, 445 and 6667
  • Block internal to external traffic to IP address 216.234.253.28

Telemetry logoTelemetry

Detection Availability

FortiGate
Extreme
FortiClient
Extended
FortiMail
Extended
FortiSandbox
Extended
FortiWeb
Extended
Web Application Firewall
Extended
FortiIsolator
Extended
FortiDeceptor
Extended
FortiEDR