WORM_SDBOT.JAB

 Analysis by: Sabrina Lei Sioting

 ALIASES:

Backdoor:Win32/IRCbot.gen!U (Microsoft), Backdoor.Win32.IRCBot.gen (Kaspersky), Bloodhound.Exploit.8 (Symantec), Exploit-DcomRpc.gen (McAfee), Mal/IRCBot-C (Sophos), Trojan.Win32.Ircbot!cobra (Sunbelt), W32/IRCBot.C!tr.bdr (Fortinet); Virus.Win32.IRCBot (Ikarus), Win32/AutoRun.IRCBot.FC (Nod32), Trojan W32/Ircbot.BFOH (Norman),

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Worm

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Propagates via network shares, Propagates via peer-to-peer networks, Propagates via removable drives, Downloaded from the Internet


This worm arrives by connecting affected removable drives to a system. It arrives via peer-to-peer (P2P) shares. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system. It uses a list of passwords to gain access to password-protected shares.

It joins an Internet Relay Chat (IRC) channel.

  TECHNICAL DETAILS

File Size:

65,024 bytes

File Type:

EXE

Memory Resident:

Yes

Initial Samples Received Date:

24 Jan 2012

Payload:

Compromises system security, Terminates processes

Arrival Details

This worm arrives by connecting affected removable drives to a system.

It arrives via peer-to-peer (P2P) shares.

It may arrive via network shares.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This worm drops the following copies of itself into the affected system:

  • %Application Data%\dnsupdater.exe
  • %User Temp%\windump.exe

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Application Data on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

  • anotherblackwidow

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
SunJavaUpdateSched = "%Application Data%\dnsupdater.exe"

Propagation

This worm drops copies of itself in the following shared folders:

  • SharedDocs\porno_movie.mpeg.exe
  • ADMIN$\porno_movie.mpeg.exe
  • C$\porno_movie.mpeg.exe
  • D$\porno_movie.mpeg.exe
  • E$\porno_movie.mpeg.exe

It drops the following copy(ies) of itself in all removable drives:

  • autorunme.exe

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

[autorun]
open=autorunme.exe
icon=%SystemRoot%\system32\SHELL32.dll,8
label=USB Drive
action=USB Drive explorer
shellexecute=autorunme.exe

It uses the following list of passwords to gain access to password-protected shares:

  • 12345
  • 123456
  • 1234567
  • 12345678
  • 123456789
  • 1234567890
  • 123abc
  • abcde
  • access
  • admin
  • administrator
  • admins
  • amministratore
  • apollo13
  • apple
  • awerty
  • billy
  • bitch
  • command
  • computer
  • database
  • default
  • guest
  • hacker
  • internet
  • intranet
  • linux
  • login
  • loginpass
  • mysql
  • nokia
  • oracle
  • owner
  • pass1234
  • qwerty
  • server
  • siemens
  • system
  • win2000
  • win2k
  • win95
  • win98
  • winnt
  • winpass
  • winxp
  • wwwadmin

Backdoor Routine

This worm connects to any of the following IRC server(s):

  • Irc.{BLOCKED}z.com

It joins any of the following Internet Relay Chat (IRC) channels:

  • ##synfu##
  • ##flash##
  • #~priv~#
  • #~cevi~#

Process Termination

This worm terminates the following processes if found running in the affected system's memory:

  • Wireshark
  • tcpview
  • MSASCui
  • msmpeng

NOTES:

This worm drops copies of itself in the following folders used in peer-to-peer networks:

  • {folder path}\bearshare\shared\
  • {folder path}\edonkey2000\incoming\
  • {folder path}\emule\incoming\
  • {folder path}\frostwire\saved\
  • {folder path}\frostwire\shared\
  • {folder path}\grokster\my grokster\
  • {folder path}\icq\shared folder\
  • {folder path}\kazaa lite k++\my shared folder\
  • {folder path}\kazaa lite\my shared folder\
  • {folder path}\kazaa\my sharedfolder\
  • {folder path}\limewire\saved\
  • {folder path}\limewire\shared\
  • {folder path}\morpheus\my shared folder\
  • {folder path}\my music\bearshare\
  • {folder path}\my music\imesh\
  • {folder path}\shareaza downloads\
  • {folder path}\tesla\files\
  • {folder path}\winmx\shared\

The folder path where it drops copies of itself is obtained by checking the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
%Program Files& = "{folder path}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Personal = "{folder path}"

It uses the following file names for the copies it drops in the folders mentioned above:

  • 3delite MP3 Stream Editor v3 4 4 1980 WinALL.exe
  • Adobe Dreamweaver CS4 Keygen.exe
  • Adobe Keygen.exe
  • Adobe Photoshop CS3 Keygen.exe
  • Adobe Photoshop CS3 patch.exe
  • Adobe Photoshop CS4 Extended + Keygen + Activation.exe
  • Adobe Photoshop CS4 KeyGen.exe
  • Adobe Photoshop CS5 KeyGen.exe
  • Adobe Photoshop Keygen.exe
  • AOL Hacker 2009.exe
  • Atomix Virtual DJ v6.0.2 FINAL Professional.exe
  • Autocad 2008 Crack.exe
  • Autocad 2009 Crack.exe
  • Autocad 2010 Crack.exe
  • Autodesk 2010 Crack.exe
  • Autorun Virus Remover v2 3 1022-Lz0.exe
  • Avast AntivirusKeygen.exe
  • Avira Antivirus 2010 Keygen.exe
  • Avira Internet Security 2010 Keygen.exe
  • Babylon 8 - Instant translation tool.exe
  • Best Movie 010.exe
  • Borderlands Proper-Razor1911.exe
  • Call Of Duty Modern Warfare 2 working multiplayer patch by team eloaded.exe
  • Cisco VPN Keygen.exe
  • CleanMyPC Registry Cleaner v4 02-TE.exe
  • Counter Strike 1.7 rack.exe
  • Counter-Strike KeyGen.exe
  • Counter-Strike Source KeyGen.exe
  • cute dogs screensaver.exe
  • DeadSpace KeyGen.exe
  • DesktopCalendar.exe
  • DiceRoller2 0.exe
  • Diskeeper 2010 Pro Premier v14 0 900.exe
  • Diskeeper 2010 Pro Premier v14 0 900t Final.exe
  • DivX Pro KeyGen.exe
  • Dr Web AntiVirus v5 0 10 11260 R-EAT.exe
  • Driver Genius Professional 2009 9.0.0 Build 186.exe
  • Error Repair Professional 4 1 3 AT4RE DM999.exe
  • facebook for dummies.exe
  • Garmin mobile xt keygen.exe
  • Half-Life 2 WORKS-ON-STEAM.exe
  • Kaspersky 2010 Full Suite Keygen.exe
  • Kaspersky Antivirus 2011 Keygen.exe
  • Kaspersky Antivirus Keygen.exe
  • Kaspersky Internet Security 2011 Keygen.exe
  • Kaspersky Internet Security Keygen.exe
  • kaspersky license key 2010.exe
  • Left4Dead-STEAM-Online-Crack-WORKS-DECEMBER08.exe
  • Limewire Pro Downloader.exe
  • LimeWire Pro.exe
  • Limewire Speed Patch
  • LimeWire.Pro.v5.4.6.1.Multilingual.Retail-ZWT.exe
  • Loaris Trojan Remover 1.2.0 Patch.exe
  • Magic Video Converter Keygen.exe
  • Microsof Office 2010 keygen.exe
  • Microsoft AutoCollage 2008.exe
  • Microsoft Office 2010 Enterprise Corporate Edition.exe
  • Microsoft Office Accounting Professional 2009.exe
  • Microsoft Office Professional Plus x32 x64 2010.exe
  • Microsoft Visual Basic 2008 KeyGen.exe
  • Microsoft Visual Basic 6 KeyGen.exe
  • Microsoft Visual C++ 2008 KeyGen.exe
  • Microsoft Visual C++ 6 KeyGen.exe
  • Microsoft Visual Studio 2008 KeyGen.exe
  • Microsoft Visual Studio 6 KeyGen.exe
  • Microsoft Windows Home Server 2010 Build 7360.exe
  • Miscrosoft Office Ultimate 2007.exe
  • Movie Maker Keygen.exe
  • MS Office 2007 Activation KeyGen.exe
  • Myspace Attack.exe
  • Myspace Cracker.exe
  • MyspaceBruteforce.exe
  • NBA k11 Crack.exe
  • Nod32 Antivirus Keygen.exe
  • Nod32 Internet Security Keygen.exe
  • Norton Anti-Virus 2010 Enterprise Keygen.exe
  • Norton Internet Security 2010 Keygen.exe
  • office 2007 activation.exe
  • Partition Magic 8 Full package.exe
  • paypal hack 2010.exe
  • Photoshop CS5 Crack.exe.Adobe Photoshop Crack.exe
  • PhotoShop Keygen.exe
  • Porn 2010.exe
  • Pro Evolution Soccer 2010 Crack.exe
  • Pro Evolution Soccer 2011 Crack.exe
  • Project 7 Private 4.8.exe
  • RARPassword Recovery Magic v6 1 1 172-BEAN.exe
  • Recover Keys v3 0 3 7-MAZE.exe
  • redsn0w-win 0 8.exe
  • Registry Cleaner Keygen.exe
  • RuneScape 2009 - Newest Exploits.exe
  • RuneScape 2010 - Newest Exploits.exe
  • RuneScape Cracker.exe
  • RuneScape Gold Exploit.exe
  • ScreenCapture.exe
  • Setup OneCare for Windows 7.exe
  • Sony Vegas Pro 9.0 Full.exe
  • Steam Account Stealer.exe
  • Tcpip Patch.exe
  • Trojan Killer 2.0.6.4 Patch.exe
  • TuneUp 2010 Keygen.exe
  • Uniture Memory Booster v6 1 0 5158-MESMERiZE.exe
  • Virus Generator.exe
  • Virus Maker.exe
  • Web Dumper 3.1.1 Keygen.exe
  • Website X5 Designer v7.7 WYSIWYG Website Creator.exe
  • Windows 2008 Server KeyGen.exe
  • Windows 2009 Server working KeyGen by TeaM Reloaded.exe
  • Windows 7 Keygen.exe
  • Windows 7 Toolkit v1.8 activations+full suite.exe
  • Windows Seven Keygen.exe
  • Windows Vista Keygen.exe
  • Windows XP Keygen.exe
  • Windows XP Media Center Keygen.exe
  • WinRAR 3.92 Final.exe
  • WinRAR-3 91 Full + Keymaker.exe
  • WinZip PRO v12.1 + Serials.exe
  • WOW Account Cracker.exe
  • Xilisoft 3GP Video Converter v5 1 26 1231 Key.exe
  • Xilisoft Apple TV Video Converter v5 1 26 1030 Inc.exe
  • Xilisoft AVI MPEG Converter v5 1 26 1030 Keyg.exe
  • Xilisoft AVI MPEG Joiner v1 0 34 1012 Keygen.exe
  • Xilisoft BlackberryRingtone Maker v1 0 12 1204.exe
  • Xilisoft Blu Ray Ripper v5 2 4 0108 Keygen.exe
  • Xilisoft Burn Pro v1 0 64 0112 Keygen.exe
  • Xilisoft CD Ripper v1 0 47 0904 Keygen.exe
  • Yamicsoft Windows 7 Manager v1 1 8 x64.exe
  • YIM Acker 2008.exe
  • YIM HAcker 2009.exe
  • YouTube Downloader all Access.exe

It also searches for all .RAR files in the affected computer and adds a copy of itself all .RAR archives. It adds a copy using any of the following file names:

  • AutoExtract.exe
  • Autorun.exe
  • AV_keygen.exe
  • Click_me.exe
  • drivers.com
  • extract.com
  • Extract.exe
  • Keygen.exe
  • music.exe
  • Open RAR.exe
  • rar_driver.com
  • RAR_Update.exe
  • read me.exe
  • Setup.exe
  • verify.exe
  • view.exe
  • WinR AR_Update.exe

This worm terminates itself if the user name of the currently logged on user is the same as the following:

  • currentuser
  • honey
  • nepenthes
  • sandbox
  • vmware

  SOLUTION

Minimum Scan Engine:

9.200

Step 1

For Windows XP and Windows Server 2003 users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.

Step 2

Terminate a malware/grayware process

[ Learn More ]

*Note: If the detected process is not displayed in theWindows Task Manager, continue doing the next steps.

     dnsupdater.exe

Step 3

Delete this registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    • SunJavaUpdateSched = "%Application Data%\dnsupdater.exe"

Step 4

Search and delete AUTORUN.INF files created by WORM_SDBOT.JAB that contain these strings

[ Learn More ]
[autorun]
open=autorunme.exe
icon=%SystemRoot%\system32\SHELL32.dll,8
label=USB Drive
action=USB Drive explorer
shellexecute=autorunme.exe

Step 5

Scan your computer with your Trend Micro product to delete files detected as WORM_SDBOT.JAB. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.