VirusW32/SDBot.fam!worm.irc
Analysis
- The virus is 32bit and is commonly compressed with
varying file sizes
- Detection covers several variants of the SDBot family
- When virus is run, it may launch Internet Explorer
in a hidden window and connect the infected machine
with an IRC server and act as an IRC bot
- When the infected system is connected to the Internet,
the bot may use TCP port 6667 and await instructions
from a hacker or group of hackers
- The IRC bot may supply to a specified IRC channel
the following details about the infected client -
cpu: undefinedd MHz.
ram: undefinedd KB total, undefinedd KB free.
os: Windows undefineds (undefinedd.undefinedd, build undefinedd).
uptime: undefineddd undefineddh undefineddmundefineds [undefineds]
connection type: undefineds (undefineds).
local IP address: undefinedd.undefinedd.undefinedd.undefinedd.
connected from: undefineds
- The IRC bot has the functionality to ping, download,
clone and send itself, among other instructions supported
- The virus may copy itself to the Windows\System
folder as an executable and modify the registry to
load at Windows startup -
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run\
(key value) = (path and filename of virus)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\RunServices\
(key value) = (path and filename of virus)
Recommended Action
Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
Telemetry
Detection Availability
| FortiClient | |
|---|---|
| Extreme | |
| FortiMail | |
| Extreme | |
| FortiSandbox | |
| Extreme | |
| FortiWeb | |
| Extreme | |
| Web Application Firewall | |
| Extreme | |
| FortiIsolator | |
| Extreme | |
| FortiDeceptor | |
| Extreme | |
| FortiEDR |