Analysis by: Sabrina Lei Sioting

ALIASES:

Worm:Win32/Pushbot.gen!C (Microsoft), W32.IRCBot.Gen (Symantec), W32/Generic.b.worm (McAfee), Mal/IRCBot-C (Sophos), Trojan.Win32.Ircbot!cobra (Sunbelt), W32/IRCBot.GNT!tr (Fortinet); Virus.Win32.IRCBot.BSX (Ikarus), Win32/AutoRun.IRCBot.FC (Nod32),

 PLATFORM:

Windows 2000, XP, Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Worm

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

Infection Channel: Propagates via removable drives, Downloaded from the Internet, Propagates via peer-to-peer networks

This worm arrives via peer-to-peer (P2P) shares. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

  TECHNICAL DETAILS

File Size: 45,056 bytes
File Type: EXE
Memory Resident: Yes
Initial Samples Received Date: 24 Jan 2012
Payload: Compromises system security, Connects to URLs/IPs

Arrival Details

This worm arrives via peer-to-peer (P2P) shares.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This worm drops the following copies of itself into the affected system:

  • %Windows%\test.exe

(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

  • SystemUtil

It injects itself into the following processes as part of its memory residency routine:

  • TASKMGR.EXE

It terminates itself if it finds the following processes in the affected system's memory:

  • zlclient.exe

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
test = "test.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Terminal Server\
Install\Software\Microsoft\
Windows\CurrentVersion\Run
test = "test.exe"

Other System Modifications

This worm creates the following registry entry(ies) to bypass Windows Firewall:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
{malware path}\{malware name}.exe = "{malware path}\{malware name}.exe:*:Enabled:test"

Backdoor Routine

This worm connects to any of the following IRC server(s):

  • irc.{BLOCKED}e.com

NOTES:

This worm drops copies of itself in the following folders used in peer-to-peer networks:

  • {folder path}\kazaa\my shared folder\
  • {folder path}\kazaa lite\my shared folder\
  • {folder path}\kazaa lite k++\my shared folder\
  • {folder path}\icq\shared folder\
  • {folder path}\grokster\my grokster\
  • {folder path}\bearshare\shared\
  • {folder path}\edonkey2000\incoming\
  • {folder path}\emule\incoming\
  • {folder path}\morpheus\my shared folder\
  • {folder path}\limewire\shared\
  • {folder path}\tesla\files\
  • {folder path}\winmx\shared\

The folder path mentioned above is obtained by checking the following registry entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
%Program Files% = "{folder path}"

It uses the following file names for the copies it drops in the folders mentioned above:

  • Bebo/Myspace/Facebook Password Stealer.exe
  • Counter Strike Source Crack.exe
  • Dark DDoS Tool.exe
  • DCOM Exploit.exe
  • DivX Pro + KeyGen.exe
  • Hotmail Cracker.exe
  • Hotmail Hacker.exe
  • Kaspersky Crack.exe
  • Keylogger.exe
  • L0pht 4.0 Windows Password Cracker.exe
  • Limewire PRO Final Edition.exe
  • Microsoft Visual Basic KeyGen.exe
  • Microsoft Visual C++ KeyGen.exe
  • Microsoft Visual Studio KeyGen.exe
  • MSN Keylogger.exe
  • MSN Password Cracker.exe
  • MSN Password Stealer.exe
  • MSN Spammer/Nudger.exe
  • NetBIOS Cracker.exe
  • NetBIOS Hacker.exe
  • Norton AntiVirus ALL VERSIONS Crack.exe
  • older man and young boy.scr
  • SAMP GTA MultiPlayer.exe
  • sdbot with NetBIOS Spread.exe
  • Spore Crack.exe
  • Spore Full Patcher.exe
  • Steam Crack.exe
  • Steam KeyGen.exe
  • Sub7 2.3 Private.exe
  • teen sex.scr
  • Windows Password Cracker.exe
  • Windows XP Validator Crack.exe
  • Young boy nude.scr
  • Young girl and boy sex.scr
  • young girl first time.scr
  • Young girl nude.scr
  • Youtube Account Cracker.exe

This worm terminates itself if the user name of the currently logged on user is any of the following:

  • currentuser
  • honey
  • sandbox
  • vmware

  SOLUTION

Minimum Scan Engine: 9.200

Step 1

For Windows XP and Windows Server 2003 users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.

Step 2

Restart in Safe Mode

[ Learn More ]

Step 3

Delete this registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

 
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • test = "test.exe"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run
    • test = "test.exe"
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    • {malware path}\{malware name}.exe = "{malware path}\{malware name}.exe:*:Enabled:test"

Step 4

Restart in normal mode and scan your computer with your Trend Micro product for files detected as WORM_SDBOT.SPS. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.