WORM_SDBOT.AXB

Malware type: Worm

Aliases: Backdoor.Win32.IRCBot.xt (Kaspersky), W32/Sdbot.worm.gen.a (McAfee), W32.IRCBot (Symantec), KIT/WebView.1 (Avira), Mal/Emogen-U (Sophos),

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 95 , 98, ME, NT, 2000, XP

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

High

Distribution potential:

High

Description: 

This worm searches for the following network shares:

  • ADMIN$
  • C$
  • IPC$

It attempts to access the said shares using a hardcoded list of weak passwords and drop a copy of itself on successfully accessed machines.

This worm takes advantage of the following Windows vulnerabilities to propagate across networks:

  • Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) vulnerability
  • LSASS vulnerability

For more information about these Windows vulnerabilities, please refer to the following Microsoft Web pages:

This worm has a built-in Internet Chat Relay (IRC) client engine, which enables it to connect to the IRC server with IP address zao.afraid.org joins the channel #eNgiNe. It then listens for commands coming from a malicious user.

This worm steals the Windows product ID. It also steals the CD keys of certain game applications.

It also performs denial of service attacks and terminates antivirus and other malware processes.

It runs on Windows 95, 98, ME, NT, 2000, and XP.

For additional information about this threat, see:

Description created: Jan. 17, 2005 12:32:24 PM GMT -0800
Description updated: Jan. 17, 2005 12:47:35 PM GMT -0800


TECHNICAL DETAILS


Size of malware: 202,240 Bytes

Initial samples received on: Jan 17, 2005

Payload 1: Compromises system security

Trigger condition 1: Upon execution

Details:

Installation Autostart Techniques

Upon execution, this worm drops a copy of itself as DRAVEN.EXE in the Windows system folder.

It adds the following registry entries to ensure its automatic execution at every Windows startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
Windows Update Draven = "draven.exe"

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\RunServices
Windows Update Draven = "draven.exe"

It also modifies the following registry entries:

HKEY_LOCAL_MACHINE\Software\Microsoft\Ole
EnableDCOM = From "Y" To "N"

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Control\Lsa
restrictanonymous = From "dword:00000000" To "dword:00000001"

Network Propagation and Exploit

This worm searches for the following network shares:

  • ADMIN$
  • C$
  • IPC$

It attempts to access the said shares using a hardcoded list of weak passwords and drop a copy of itself on successfully accessed machines. The following are the passwords mentioned:

  • 12345
  • 123456
  • 1234567
  • 12345678
  • 123456789
  • 1234567890
  • access
  • accounting
  • accounts
  • administrador
  • administrat
  • administrateur
  • administrator
  • admins
  • backup
  • bitch
  • blank
  • brian
  • changeme
  • chris
  • cisco
  • compaq
  • computer
  • control
  • database
  • databasepass
  • databasepassword
  • db1234
  • dbpass
  • dbpassword
  • default
  • domain
  • domainpass
  • domainpassword
  • exchange
  • george
  • guest
  • hello
  • homeuser
  • internet
  • intranet
  • katie
  • linux
  • login
  • loginpass
  • nokia
  • oeminstall
  • oemuser
  • office
  • oracle
  • orainstall
  • outlook
  • owner
  • pass1234
  • passwd
  • password
  • password1
  • peter
  • qwerty
  • server
  • siemens
  • sqlpassoainstall
  • staff
  • student
  • susan
  • system
  • teacher
  • technical
  • win2000
  • win2k
  • win98
  • windows
  • winnt
  • winpass
  • winxp
  • wwwadmin

This worm takes advantage of the following Windows vulnerabilities to propagate across networks:

  • Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) vulnerability
  • LSASS vulnerability

For more information about these Windows vulnerabilities, please refer to the following Microsoft Web pages:

Backdoor Capabilities

This worm has a built-in Internet Chat Relay (IRC) client engine, which enables it to connect to the IRC server with IP address zao.afraid.org joins the channel #eNgiNe. It then listens for the following commands coming from a malicious user:

  • Add/delete network shares
  • Chat with current IRC users
  • Connect and visit URL
  • Download files from the compromised system
  • Enable and disable DCOM
  • Flush DNS
  • Get data form the clipboard
  • Get system information
  • Join and leave IRC channel
  • List and terminate proceses
  • List network shares
  • Log on and log off from system
  • Manipulate files
  • Perform command shell execution of files
  • Perform information theft
  • Perform IP/port scanning
  • Perform packet flooding
  • Perform packet sniffing
  • Reboot the system
  • Search for system passwords
  • Send and receive files through IRC
  • Send email messages using SMTP through IRC
  • Start keylogging
  • Update malware copy
  • Upload files

Information Theft

This worm steals the Windows product ID. It also steals the CD keys of the following game applications:

  • Battlefield 1942
  • Battlefield 1942 (Road To Rome)
  • Battlefield 1942 (Secret Weapons of WWII)
  • Battlefield Vietnam
  • Black and White
  • Command and Conquer: Generals
  • Command and Conquer: Generals (Zero Hour)
  • Command and Conquer: Red Alert
  • Command and Conquer: Red Alert 2
  • Command and Conquer: Tiberian Sun
  • Counter-Strike (Retail)
  • FIFA 2002
  • FIFA 2003
  • Freedom Force
  • Global Operations
  • Gunman Chronicles
  • Half-Life
  • Hidden & Dangerous 2
  • IGI 2: Covert Strike
  • Industry Giant 2
  • James Bond 007: Nightfire
  • Legends of Might and Magic
  • Medal of Honor: Allied Assault
  • Medal of Honor: Allied Assault: Breakthrough
  • Medal of Honor: Allied Assault: Spearhead
  • Nascar Racing 2002
  • Nascar Racing 2003
  • Need For Speed Hot Pursuit 2
  • Need For Speed: Underground
  • Neverwinter Nights
  • NHL 2002
  • NHL 2003
  • Rainbow Six III RavenShield
  • Shogun: Total War: Warlord Edition
  • Soldier of Fortune II - Double Helix
  • Soldiers Of Anarchy
  • The Gladiators
  • Unreal Tournament 2003
  • Unreal Tournament 2004

This worm also uses a sniffer to check for the following strings and retrieve passwords:

  • : auth
  • : login
  • :!auth
  • :!hashin
  • :!login
  • :!secure
  • :!syn
  • :$auth
  • :$hashin
  • :$login
  • :$syn
  • :%auth
  • :%hashin
  • :%login
  • :%syn
  • :&auth
  • :&login
  • :*auth
  • :*login
  • :,auth
  • :,login
  • :.auth
  • :.hashin
  • :.login
  • :.secure
  • :.syn
  • :/auth
  • :/login
  • :?auth
  • :?login
  • :@auth
  • :@login
  • :\auth
  • :\login
  • :~auth
  • :~login
  • :%20auth
  • :%20login
  • :=auth
  • :=login
  • :'auth
  • :-auth
  • :'login
  • :-login
  • CDKey
  • DTrxbot
  • JOIN #
  • login
  • login
  • NICK
  • now an IRC Operator
  • OPER
  • oper
  • PASS
  • PAYPAL
  • paypal
  • PAYPAL.COM
  • paypal.com
  • Set-Cookie:
  • USER

Denial of Service

This worm is able to perform the following types of distributed denial of service (DoS) attacks:

  • Ping flood
  • SYN flood
  • UDP flood
 
 
 

Analysis by: Mary Gabriel


SOLUTION


Minimum scan engine version needed: 6.810

Pattern file needed: 3.905.00

Pattern release date: Nov 6, 2006


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

Identifying the Malware Program

To remove this malware, first identify the malware program.

  1. Scan your system with your Trend Micro antivirus product.
  2. NOTE all files detected as WORM_SDBOT.AXB.

Trend Micro customers need to download the latest pattern file before scanning their system. Other users can use Housecall, Trend Micro�s online virus scanner.

Terminating the Malware Program

This procedure terminates the running malware process. You will need the name(s) of the file(s) detected earlier.

  1. Open Windows Task Manager.
    � On Windows 95, 98, and ME, press
    CTRL%20ALT%20DELETE
    � On Windows NT, 2000, and XP, press
    CTRL%20SHIFT%20ESC, then click the Processes tab.
  2. In the list of running programs*, locate the malware file(s) detected earlier.
  3. Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.
  4. Do the same for all detected malware files in the list of running processes.
  5. To check if the malware process has been terminated, close Task Manager, and then open it again.
  6. Close Task Manager.

*NOTE: On systems running Windows 95, 98, and ME, Windows Task Manager may not show certain processes. You can use a third party process viewer such as Process Explorer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions.

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing at startup.

  1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>Run
  3. In the right panel, locate and delete the entry:
    Windows Update Draven = "draven.exe"
  4. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>RunServices
  5. In the right panel, locate and delete the entry:
    Windows Update Draven = "draven.exe"
  6. In the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>OLE
  7. In the right panel, locate and delete the entry:
    Windows Update Draven = "draven.exe"
  8. Close Registry Editor.

NOTE: If you were not able to terminate the malware process as described in the previous procedure, restart your system.

Removing Modified Entries from the Registry

  1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>Ole
  3. In the right panel, locate and modify the entry:
    EnableDCOM = From "N" To "Y"
  4. Close Registry Editor.

Restoring EnableDCOM and RestrictAnonymous Registry Entries

This malware modifies EnableDCOM and RestrictAnonymous registry entries to a certain value. To know more about restoring these registries to their original values, please refer to these articles:

  1. COM security frequently asked questions
  2. How to disable DCOM support in Windows
  3. How to Use the RestrictAnonymous Registry Value in Windows 2000
  4. The "RestrictAnonymous" Registry Value May Break the Trust to a Windows 2000 Domain

NOTE: If you were not able to terminate the malware process as described in the previous procedure, restart your system.

Additional Windows ME/XP Cleaning Instructions

Users running Windows ME and XP must disable System Restore to allow full scanning of infected systems.

Users running other Windows versions can proceed with the succeeding procedure set(s).

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete all files detected as WORM_SDBOT.AXB. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro�s online virus scanner.

Applying Patches

This malware exploits the following known vulnerabilities in Windows:

  • Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) vulnerability
  • LSASS vulnerability
Download and install the fix patches listed below supplied by Microsoft. Refrain from using this product until the appropriate patch has been installed. Trend Micro advises users to download critical patches upon release by vendors.


Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.