This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
Characteristics
Characteristics -
This is a variant of W32/Sdbot.worm which bears strong resemblance to the many other members of this rapidly growing family.
It is detected as W32/Sdbot.worm.gen.y with the specified engine and DATs, and bears the look for vulnerable systems on TCP port 135.
propagates to machines vulnerable to the following exploits:
DCcomRPC http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx propagates to machines with poorly secured network shares (weak username/password combinations) propagates to remote machines (it generates random IPs) by attempting to copy itself to a number of shares The worm also propagates through any backdoors installed by the Mydoom family of worms provides a backdoor to the victim machine, thereby compromising data on that machine (significant remote access functionality is availble to the hacker)
Symptoms
Symptoms -
When run, the bot installs itself into the Windows system directory as WINSYS.EXE, for example:
C:\WINDOWS\system32\winsys.exe System startup is hooked via the addition of the following keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
\Run "Configuration Loader"= winsys.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Run "Configuration Loader"= winsys.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\RunServices "Configuration Loader"= winsys.exe The bot attempts to connect to a remote IRC server (weed.dmrelite.com) on TCP destination ports 6667. Users should note that the bot can be instructed to update which will almost certainly result in the bot connecting to a different server, and on a different port.
Other symptoms include:
opening other ports on the victim machine, including port 113. These will likely be variable since the bot provides a backdoor for the hacker to initiate services on demand. For example, compromised machines are often used as FTP, HTTP servers (maybe not using default ports), or SMTP, HTTP proxies.
removal of shares on the victim machine:
ADMIN$ IPC$ D$ C$
Method of Infection
Method of Infection -
Share Propagation
The worm scans random IP subnets for machines present on the network. Once a system is found, the worm tries to connect to the C$, D$, E$, IPC$, Print$ and Admin$ shares on that machine. The following usernames and passwords which are carried by the worm are used to use to gain access to these shares:
Pc Laptop Desk Desktop Apple Office Owner owner default admin ADMIN Admin admin123 Administrador Administrateur administrator ADMINISTRATOR Administrator User Home Work Andy info academia academic accept ACCESS access account accounting accounts action ada adam adm iraq freedom company group default1 default2 playboy public password education edu r00t Root adm1n freedom Amy Andy Chinese China User sex Gateway Router mom dad sister bigbrother brother david bush binladen college campus learning doctor professor shopping boss manager James Home private wireless mobile laptop work happy america war Mohammed Ali carol Ann Linda parrot cat dog pwd pw123 pwd qaz quebec qwe qwer qwert qwerty r00t rabbit rachel rachelle susan sue school homework king leader staff faculty lab office heaven clown bob simpsons university qwezxc qazwsx forum board meeting playstation xbox ps2 rebel coffee Tea Sugar Cigar summer winter autumn spring jesus lord satan angel penis pussy holy babylon bird doom demon ghost car ike superman batman robin robot robotics bigdick black mexican old mug cup info common lesbian gay speed don ronald root ROOT rooted support new Muhammed Mohamed Islam database data backup1 knight RPC DAP VNC Client DCOM Irule LSASS Testmachine Gu3st windowz XP in2k Miss Dr Mr Linux Unix Gate Temp Folder Dummy Zombie vodka beer football saturday friday saturn saxon scamper scheme school schoolsucks scifi scorpion scott scotty scout script scriptkiddie search secret security seed sega sensor sentinel sentry serenity serial server SERVER service sesame sex sexy hannon sharc SHARE shark sharks sharon sheffiel sheffield sheldon shell sherri shift shirley shit shitpot shiva shivers short shuttle sick siemens sierra signatur signature silver simcity simon simple simpsons simulati singer single site skull slave slick sliders slow slut small smart smile smiles smooch smother smtp smut snach snafu snake snatch snoopy soap social socrates sodomy soft software somebody sondra sonia sonic sonya sossina source south spaceman spaceshi sparrows spear spell spencer spice spider spiderma spit spred spring springer spunk sql sqlagent sqlpass squires sr71 stacey staci stacie stacy staff Standard star starship start startrek startup starwars steak steal steel steph stephani stephanie stereo steve stoneage stoned stones strange strangle stratfor stratford streetfi string strip student student1 stuttgar stuttgart subscrib subway success suck suckmydi sucks sue summer sun sunday super superman superson supersta superstage superuse superuser supervis support supporte supported surfer surfing susan susanne susie suzanne suzie swearer sweat switch sword sybase sybil symmetry sys sysadmin sysop ystem SYSTEM tabasco talk tall tamara tami tamie tammy tangerin tangerine tango tape tara target tarragon taylor teacher team teapot tears tech technical teen teenage telephon telephone telnet TEMP temp temp123 temptati temptation tennis tera terminal terminat tess TEST test Test test123 tester testin testing tetris text thailand theresa thin thursday tiffany tiger time tina tits toad toggle token tokenrin tomato topograp topography tortoise toxic toyota traci tracie tracy trails transfer trap trapdoor tree trek trisha trivial trojan trombone tron true truth tty tubas tuesday turn turnip tuttle ugly umesh uncle undo unhappy unicorn uniform universa universe universi unix unknown Unknown unlock upload uranus urchin ursula usenet user USER User user1 usermane username userpassword usmc util utility uucp uwontguessme vagina valerie vampire vasant venus veronica vertigo drunk victor video videogam village virgin virginia virus visitor visual visualba vodka w00t psycho mental elite danger games hacker beer lager gin genie rex susana webpage wednesda weed weenie well john wendy werewolf west western wh0r3 wh0re whatever whatnot whisky white whiting whitney wholesal wholesale whore wileecoyote will william williams williamsburg willie wilma win win2000 win2k win98 windose windows windows2k windows95 windows98 windowsME WindowsXP windowz windoze windoze2k windoze95 windoze98 windozeME windozexp wine wing winnt winpass winston winxp wired wisconsi wisconsin wiseass within wizard wolf wolverin woman wombat women wood woodwind word wordperf worf work worm wormwood WRITE wwii www wwwadmin wyoming x xena xfer xman xmen xmodem xp xray xx xxx xxxx xxxxx xxxxxx xxxxxxx xxxxxxxx xxxxxxxxx xyz xyzzy yaco yang amy drew richard peter yolanda yosemite young youwontguessme yxcv Client zebra zeitgeis ziggy zimmerma zimmerman Cliente indian africa abdul http apache domain bkup ns1 ns server hosting virus email fuckyou elephant cold hot babe lady Sir zombie username setme earth The worm also attempts to infect remote machines by copying itself to the following shares on randomly generated IP numbers:
\IPC$\msgfix.exe \D$\msgfix.exe \print$\msgfix.exe \c$\msgfix.exe \Admin$\msgfix.exe \c$\windows\system32\msgfix.exe \c$\winnt\system32\msgfix.exe \Admin$\system32\msgfix.exe
Remote Access Functionality
Once running, and under remote command by the hacker(s) a wealth of functionality is available. Given the bot can also be instructed to update itself, and download/execute other binaries, there will likely be other rootkits and backdoors installed on compromised machines.
Functionality includes:
view, modify Registry data browse filesystem browse, terminate, start processes upload, download, delete, modify, execute files run FTP server run HTTP proxy run SOCKS proxy run TCP proxy disable shares on victim harvest data (see below) launch DoS attack from victim machine perform network scans (locate other vulnerable machines) Data harvesting
The worm specifically includes code to harvest data concerning various applications that may be installed on the victim machine. This data includes serial numbers and CD keys, for example:
Software\IGI 2 Retail\CDKey Software\Electronic Arts\EA GAMES\Generals\ergc Software\Electronic Arts\EA Sports\FIFA 2003\ergc Software\Electronic Arts\EA GAMES\Need For Speed Hot Pursuit 2\ergc Software\Activision\Call of Duty Software\Activision\Soldier of Fortune II - Double Helix Software\BioWare\NWN\Neverwinter SOFTWARE\Red Storm Entertainment\RAVENSHIELD SOFTWARE\Electronic Arts\EA GAMES\Battlefield 1942 The Road to Rome SOFTWARE\Electronic Arts\EA GAMES\Battlefield 1942 SOFTWARE\IGI 2 Retail Software\Valve\CounterStrike\Settings Software\Unreal Technology\Installed Apps\UT2003 Software\Valve\Half-Life\Settings
(2007-06-17 07:02:15, Size: 92.5 KB, Downloads: 0)