SdBot represents the large family of backdoors - hacker's remote
access tools. These tools allow to contol victims' computers
remotely by sending specific commands via IRC channels. Also
these backdoors can steal data, spread to local network and to
computers vulnerable to exploits.
This SDBot variant was first found on May 12th, 2004 in Finland.
It uses different exploits including the LSASS exploit to spread
to vulnerable computers. Additionally this backdoor steals
registration codes of popular games and can work as a keylogger.
F-Secure provides the special disinfection utility to eliminate
SdBot.MB worm infection. You can download this utility from our
ftp site:
ftp://ftp.f-secure.com/anti-virus/tools/f-sdbot.exe
ftp://ftp.f-secure.com/anti-virus/tools/f-sdbot.zip
Disinfection instructions can be found here:
ftp://ftp.f-secure.com/anti-virus/tools/f-sdbot.txt
System administrators who are using F-Secure Policy Manager,
can distribute the tool as a JAR package automatically to all
workstations.
System administrators can download the JAR version from:
http://www.europe.f-secure.com/tools/f-sdbot.jar
ftp://ftp.f-secure.com/anti-virus/tools/f-sdbot.jar
F-Secure Anti-Virus starting from version 5.40 can disinfect a
computer infected with SDBot.MB automatically by renaming the
backdoor's file. A computer has to be restarted to complete
disinfection.
Manual disinfection for SdBot.MB backdoor requires renaming of an
infected file named SNDCFG16.EXE located in Windows System folder
and restarting a system. Please note that the backdoor's file has
read-only, system and hidden attributes, so Windows Explorer has
to be configured to show such files.
If the infection is in a local network, please follow the
instructions on this webpage:
http://www.f-secure.com/v-descs/netdisinf.shtml
The backdoor's file is a PE executable about 93 kilobytes long,
packed with Yoda and PECompact file compressors.
When the backdoor's file is started, it copies itself as
SNDCFG16.EXE to Windows System folder, sets hidden, system and
read-only attributes for itself and then creates the following
startup keys in the Registry:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MS Sound Config 16bit"="sndcfg16.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"MS Sound Config 16bit"="sndcfg16.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MS Sound Config 16bit"="sndcfg16.exe"
The backdoor monitors Registry changes and re-creates these keys
if they are deleted or modified.
SDBot.MB kills the processes of security and anti-virus software
and also processes of certain malware (for example Bagle). The
processes with the following names are killed:
regedit.exe
msconfig.exe
netstat.exe
msblast.exe
zapro.exe
navw32.exe
navapw32.exe
zonealarm.exe
wincfg32.exetaskmon.exe
PandaAVEngine.exe
sysinfo.exe
mscvb32.exe
MSBLAST.exe
teekids.exe
Penis32.exe
bbeagle.exe
SysMonXP.exe
winupd.exe
winsys.exe
ssate.exe
rate.exe
d3dupdate.exe
irun4.exe
i11r54n4.exe
The backdoor can scan for vulnerable computers using different
types of exploits and tries to locate other backdoors installed
on remote hosts. Here's the list of scanner capabilities:
* WebDav (port 80)
* NetBios (port 139)
* NTPass (port 445)
* DCom (ports 135, 1025)
* DCom2 (port 135)
* MSSQL (port 1433)
* LSASS (port 445)
* UPNP (port 5000)
* Optix backdoor (port 3140)
* Bagle backdoor (port 2745)
* Kuang backdoor (port 17300)
* Mydoom backdoor (port 3127)
* NetDevil backdoor (port 903)
* SubSeven backdoor (port 27347)
* DameWare remote management software (port 6129)
The backdoor starts IDENTD server on port 113. A hacker can
control the backdoor via a bot that it creates in a certain IRC
channel. Backdoor capabilities are the following:
* start HTTP server on an infected computer
* start FTP server on an infected computer
* scan for vulnerable computers (open ports and exploits)
* make use of exploits and spread to remote computers
* start/stop keylogger
* get system information including information about OS, network and drives
* operate backdoor's bot (nick change, dcc send/receive, join/part channels, etc.)
* perform DDoS (Distributed Denial of Service) attack, SYN, ICMP, UDP flood
* find, download and run files
* search for passwords
* start/stop remote services
* create/delete remote shares
* flush DNS cache
* ping any host
* list, start and kill processes
* sniff network traffic
* start remote command shell
* capture video from a webcam
* capture a screenshot
* redirect traffic on certain ports
* perform portscan
* send e-mails (work as an e-mail proxy)
* open a URL with default web browser
SDBot.MB steals CD keys for the following games if they are
installed on an infected computer:
Counter-Strike (Retail)
The Gladiators
Gunman Chronicles
Half-Life
Industry Giant 2
Legends of Might and Magic
Soldiers Of Anarchy
Unreal Tournament 2003
Unreal Tournament 2004
IGI 2: Covert Strike
Freedom Force
Battlefield 1942
Battlefield 1942 (Road To Rome)
Battlefield 1942 (Secret Weapons of WWII)
Battlefield Vietnam
Black and White
Command and Conquer: Generals (Zero Hour)
James Bond 007: Nightfire
Command and Conquer: Generals
Global Operations
Medal of Honor: Allied Assault
Medal of Honor: Allied Assault: Breakthrough
Medal of Honor: Allied Assault: Spearhead
Need For Speed Hot Pursuit 2
Need For Speed: Underground
Shogun: Total War: Warlord Edition
FIFA 2002
FIFA 2003
NHL 2002
NHL 2003
Nascar Racing 2002
Nascar Racing 2003
Rainbow Six III RavenShield
Command and Conquer: Tiberian Sun
Command and Conquer: Red Alert
Command and Conquer: Red Alert 2
NOX
Chrome
Hidden & Dangerous 2
Soldier of Fortune II - Double Helix
Neverwinter Nights
Neverwinter Nights (Shadows of Undrentide)
Neverwinter Nights (Hordes of the Underdark)
Also the backdoor steals Microsoft Windows Product ID.
F-Secure Anti-Virus detects SdBot.MB with the following update:
[FSAV_Database_Version]
Version=2004-05-12_04
Technical Details:
Alexey Podrezov, May 13th, 2004;
Description Updated:
Alexey Podrezov, September 10th, 2004;
F-Secure Corporation
