BKDR_SDBOT.IR

Malware type: Backdoor

Aliases: W32/Sdbot.worm.gen (McAfee), Backdoor.SDBot.Gen (Symantec), BDS/Sdbot.26551 (Avira), W32/Sdbot-Fam (Sophos),

In the wild: Yes

Destructive: Yes

Language: English

Platform: Windows NT, 2000, XP

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

High

Distribution potential:

High

Description: 

This backdoor drops malicious files detected by Trend Micro as BAT_SERVU.A and TROJ_NCX99.A. It performs the following DoS attacks against target locations:

  • SYN flood
  • UDP flood

This malware comes with an Internet Relay Chat (IRC) client, which allows it to connect to an IRC channel and perform the following commands:

  • Check malware's status
  • Configure the infected system to act as a SOCKS4 proxy server
  • Connect to a specified IRC server
  • Disconnect from IRC server
  • Display system info such as the following:
    • CPU
    • Size of memory
    • Windows OS
    • Platform ID
    • User name
    • Uptime
  • Download, update and execute file from a Web site
  • Execute an .EXE file
  • Get list of CD keys
  • Join an IRC channel
  • Leave an IRC channel
  • List running processes
  • Open a file
  • Randomize nick
  • Send message to private user
  • Terminate a process
  • Uninstall malware
  • Update malware

It also steals the CD keys of several software games.

It runs on Windows NT, 2000 and XP.

For additional information about this threat, see:

Description created: Mar. 16, 2004 8:55:40 AM GMT -0800
Description updated: Nov. 21, 2004 6:49:48 AM GMT -0800


TECHNICAL DETAILS


Size of malware: 76,800 Bytes (Compressed)
133,632 Bytes (Uncompressed)

Initial samples received on: Mar 16, 2004

Related toBAT_SERVU.A, TROJ_NCX99.A

Payload 1: Steals CD keys

Trigger condition 1: Upon Execution

Payload 2: Compromises network security

Details:

Installation and Autostart

Upon execution, this backdoor drops a copy of itself in the Window system folder as GT.EXE.

It creates the following registry entries so that it runs at every system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\RunServices
Microsoft Windows WKS Service=�gt.exe�

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run
Microsoft Windows WKS Service=�gt.exe�

Malware Components

It further drops the following malicious files:

  • a.bat � allows this malware to connect to a remote hacker�s FTP (File Transfer Protocol) server to update itself, remove network shares, and configure the SERV-U FTP server. This file is detected as BAT_SERVU.A.

  • msnsrv.exe � a modified version of NETCAT for NT tool, which is used for reading or writing data across network connections using the Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) protocols. This modified version acts as a backdoor that allows a remote user access to the infected computer. This file is detected as TROJ_NCX99.A.

Denial of Service (DoS) Attack

This backdoor performs the following DoS attacks against target locations:

  • SYN flood
  • UDP flood

Backdoor Capabilities

This malware comes with an Internet Relay Chat (IRC) client, which allows it to connect to an IRC channel and perform the following commands:

  • Check malware's status
  • Configure the infected system to act as a SOCKS4 proxy server
  • Connect to a specified IRC server
  • Disconnect from IRC server
  • Display system info such as the following:
    • CPU
    • Size of memory
    • Windows OS
    • Platform ID
    • User name
    • Uptime
  • Download, update and execute file from a Web site
  • Execute an .EXE file
  • Get list of CD keys
  • Join an IRC channel
  • Leave an IRC channel
  • List running processes
  • Open a file
  • Randomize nick
  • Send message to private user
  • Terminate a process
  • Uninstall malware
  • Update malware

Information Theft

Lsatly, this backdoor obtains the CD Keys of the following software games:

  • Battlefield 1942
  • Battlefield 1942 Road To Rome
  • Command & Conquer Generals
  • Counter-Strike
  • FIFA 2003
  • Half-Life
  • IGI 2
  • Need For Speed Hot Pursuit 2
  • Neverwinter Nights
  • Project IGI 2
  • Rainbow Six III RavenShield
  • Red Alert 2
  • Soldier of Fortune II
  • The Gladiators
  • Tiberian Sun
  • Unreal Tournament 2003



Analysis by: Karmina Aquino


SOLUTION


Minimum scan engine version needed: 6.810

Pattern file needed: 2.258.02

Pattern release date: Mar 16, 2004


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

Restarting in Safe Mode

� On Windows NT (VGA mode)

  1. Click Start>Settings>Control Panel.
  2. Double-click the System icon.
  3. Click the Startup/Shutdown tab.
  4. Set the Show List field to 10 seconds and click OK to save this change.
  5. Shut down and restart your computer.
  6. Select VGA mode from the startup menu.

� On Windows 2000

  1. Restart your computer.
  2. Press the F8 key, when you see the Starting Windows bar at the bottom of the screen.
  3. Choose the Safe Mode option from the Windows Advanced Options Menu then press Enter.

� On Windows XP

  1. Restart your computer.
  2. Press F8 after the Power-On Self Test (POST) is done. If the Windows Advanced Options Menu does not appear, try restarting and then pressing F8 several times after the POST screen.
  3. Choose the Safe Mode option from the Windows Advanced Options Menu then press Enter.

Note: After performing all the solutions for the removal of this malware, please restart your system normally, and run your Trend Micro antivirus product.

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing during startup.

To remove the malware autostart entries:

  1. Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>Run
  3. In the right panel, locate and delete the entry:
    Microsoft Windows WKS Service=�gt.exe�
  4. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>
    CurrentVersion>RunServices
  5. In the right panel, locate and delete the entry:
    Microsoft Windows WKS Service=�gt.exe�
  6. Close Registry Editor.
NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system.

Additional Windows ME/XP Cleaning Instructions

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete all files detected as BKDR_SDBOT.IR, TROJ_NCX99.A and BAT_SERVU.A. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro�s free online virus scanner.


Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.