W32/SDBot.JW!worm
Analysis
Specifics
This virus is 32-bit with a packed file size of 101,446
bytes. This virus contains code to send itself to others,
and also connect to an IRC server using TCP port 6667.
The virus will auto-run at each Windows startup via
three registry entries -
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
"Mozilla Firefox v0.901" = netconfig.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
"Mozilla Firefox v0.901" = netconfig.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\
"Mozilla Firefox v0.901" = netconfig.exe
Target Seek
This virus will begin sending SYN packets to random
IP addresses in hopes of receiving an ACK reply. Systems
which respond become targets for the virus as it attempts
to log onto the responding system using a dictionary
attack of logon id and password. If a system becomes
breached, the virus will copy itself to that system
and remotely execute it as "netconfig.exe".
IRC Communique
The virus will connect to the IRC server IP address
216.234.253.28 and join the channel "#boom".
Once connected, the virus sends a private message to
the chat user "boom" various status messages
related to the functions being performed by the virus.
For instance, during the initial IP scanning phase,
the virus will send a note to the virus author with
this content -
"Starting scan of NT-pass"
Recommended Action
- Check the main screen using the web interface for
your FortiGate unit to ensure that the latest AV/NIDS
database has been downloaded and installed on your
system - if required, enable the "Allow Push
Update" option
- Block external to internal traffic using TCP ports
139, 445 and 6667
- Block internal to external traffic to IP address 216.234.253.28
Telemetry
Detection Availability
FortiGate | |
---|---|
Extreme | |
FortiClient | |
Extended | |
FortiMail | |
Extended | |
FortiSandbox | |
Extended | |
FortiWeb | |
Extended | |
Web Application Firewall | |
Extended | |
FortiIsolator | |
Extended | |
FortiDeceptor | |
Extended | |
FortiEDR |