Virus

W32/SDBot.RT!worm

Analysis

The virus is 32-bit with a packed file size of 33,920 bytes. The virus exists on infected systems in the System32 folder with a polymorphic file name from replication to replication. When virus copies itself to the new host, it writes itself as undefinedrandomundefined.exe, where undefinedrandomundefined is a series of up to ten letters.
When the virus first runs, it tries to connect to a user account on the web server 'www3.simpatico.ca' and download a file named "Dsmsn.exe". The downloaded file is then run. It is a package file containing two files -

  • a Proxy Trojan named W32/Ranky.AP-tr
  • an updated version of W32/SDBot.RT-net.
Both Ranky and SDBot will be run, and are also scheduled to load into memory on the next Windows restart. The auto-load occurs due to a change made to the system registry as in these examples -
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"ffeqfqs" = dqddss.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"ffeqfqs" = dqddss.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
"ffeqfqs" = dqddss.exe
The virus installs a remote access Trojan component known as Ranky. This component is also registered to run at each Windows startup -
HKEY_CURRENT_USER\Software\WinRAR SFX
"CundefinedundefinedWINNTundefinedSYSTEM32undefined" = C:\WINNT\SYSTEM32\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"vsddsas" = C:\winnt\system32\fqeeqfap.exe
The "Ranky" component binds with TCP port 37607 and awaits connections from a malicious user. Ranky sends a notification message via TCP port 80 by using a server side script - this is to alert malicious users who may be monitoring the server of a newly compromised system. The server side script is similar to this -
http://wowcraft.no-ip.org/public_html/a.php?37607
Meanwhile the virus will begin scanning random IP addresses using TCP port 139 in an attempt to locate possible targets of the virus. When a responding IP address is found, the virus SDBot attempts to connect with the target system using weak password combinations and a built-in dictionary attack.

Recommended Action

Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option