F-Secure Virus Descriptions : SdBot.MD
[Summary] | [Disinfection] | [Detailed Description] | [Detection]
|
|
|
SdBot represents the large family of backdoors - hacker's remote
access tools. These tools allow to contol victims' computers
remotely by sending specific commands via IRC channels. Also
these backdoors can steal data, spread to local network and to
computers vulnerable to exploits.
This SDBot variant was first found on May 13th, 2004 in Finland.
It uses different exploits including the MSSQL and LSASS exploits
to spread to vulnerable computers. The backdoor also can install
security patches on an operating system and scan for active ftp
servers. Additionally the backdoor removes startup Registry keys
for 3 Sasser worm variants.
F-Secure provides the special disinfection utility to eliminate
SdBot.MD worm infection. You can download this utility from our
ftp site:
ftp://ftp.f-secure.com/anti-virus/tools/f-sdbot.exe
ftp://ftp.f-secure.com/anti-virus/tools/f-sdbot.zip
Disinfection instructions can be found here:
ftp://ftp.f-secure.com/anti-virus/tools/f-sdbot.txt
System administrators who are using F-Secure Policy Manager,
can distribute the tool as a JAR package automatically to all
workstations.
System administrators can download the JAR version from:
http://www.europe.f-secure.com/tools/f-sdbot.jar
ftp://ftp.f-secure.com/anti-virus/tools/f-sdbot.jar
F-Secure Anti-Virus starting from version 5.40 can disinfect a
computer infected with SDBot.MD automatically by renaming the
backdoor's file. A computer has to be restarted to complete
disinfection.
Manual disinfection for SDBot.MD backdoor requires renaming of an
infected file named DESKTOP.EXE located in Windows System folder
and restarting a system.
If the infection is in a local network, please follow the
instructions on this webpage:
http://www.f-secure.com/v-descs/netdisinf.shtml
The backdoor's file is a PE executable about 32 kilobytes long,
packed with a modified UPX file compressor.
When the backdoor's file is started, it copies itself as
DESKTOP.EXE to Windows System folder and then creates the startup
key in the Registry:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"desktop"="%WinSysDir%\desktop.exe"
where %WinSysDir% represents the Windows System folder name. The
backdoor also creates the following Registry keys:
[HKLM\SOFTWARE\Microsoft\MSSQLServer\Client\ConnectTo]
"DSQUERY"
"DBMSSOCN"
[HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]
"AutoShareServer" = DWORD:0
"AutoShareWks" = DWORD:0
[HKLM\SYSTEM\CurrentControlSet\Control\Lsa]
"restrictanonymous" = DWORD:1
[HKLM\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters]
"DisableWebDAV" = DWORD:1
"MaxClientRequestBuffer" = DWORD:4000
Then the backdoor installs the ecurity patch KB835732 on Windows
2000 and XP computers by downloading a language-specific version
from a Microsoft site and activating it. More information about
the security patch can be found here:
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
The backdoor connects to one of the following IRC servers and
creates a bot there:
knix-irc.hopto.org
irc.knix.25u.com
knix-irc2.hopto.org
knix.afraid.org
The following IRC channels are used:
#virtualz
#scanlog
The backdoor can be controled via a bot that it creates. A remote
hacker can perform the following actions:
* initialize for spreading cycle
* select spreading technique (see below)
* remove spreading technique
* select IP address range for scan
* remove IP address range for scan
* start spreading cycle
* stop spreading cycle
* get spreading cycle status
* create a remote shell
* autoupdate itself
* uninstall itself
* download files
* start files
* execute a command
* get bot information
* switch to idle mode
* delete Registry keys for 3 Sasser worm variants
* show log file
The backdoor can spread using the following exploits and
applications:
ipc (remote shares)
mssql (SQL servers)
mssql_udp
dcom1 (DCOM RPC)
real_serv
dame_ware (remote administration software)
ms04011 (LSASS)
ftp_scan (remote ftp sites)
This variant of SDBot performs a dictionary attack to get access
to remote hosts. It uses the following list of logins and
passwords:
sa
sql
admin
Administrator
test
demo
database
Administrator
Administrador
Amministratore
Administrateur
Administrat
Beheerder
guest
Gast
G?st
Invitado
Visitatore
admin
webmaster
web
www
server
data
account
backup
demo
test
access
operator
oper
local
user
master
student
pwrchute
root
admin
demo
test
guest
webmaster
web
www
server
data
account
backup
access
sysadm
sysadmin
manager
Administrator
Administrador
Amministratore
Administrateur
Administrat
Beheerder
sysop
supervisor
operator
oper
local
user
master
adm
devadmin
sysmgr
sysman
testuser
systest
%UserName%
%UserName%1
%UserName%12
%UserName%123
%UserName%1234
%UserName%12345
%UserName%pass
%UserName%qwerty
%UserName%qwert
%UserName%qwer
%UserName%abcd
%UserName%abc
%UserName%asdf
%UserName%asd
1%UserName%
12%UserName%
123%UserName%
1234%UserName%
12345%UserName%
abc%UserName%
abcd%UserName%
qwerty%UserName%
asdf%UserName%
!@#$%UserName%
!@#%UserName%
!@%UserName%
!%UserName%
%UserName%!@#$
%UserName%!@#
%UserName%!@
%UserName%!
1
11
111
1111
11111
111111
1111111
11111111
12
123
1234
12345
123456
1234567
12345678
654321
54321
4321
321
123123
12341234
31337
1337
00000000
88888888
5201314
1234qwer
123qwe
123abc
123asd
abc123
abcd
asdf
asdfgh
Administrator
admin
root
pass
passwd
password
super
master
backup
pass
test
user
temp
secret
computer
demo
windows
monitor
manager
operator
oper
local
server
share
full
digital
einstein
guess
system
sql
database
sybase
internet
locked
access
qwerty
newpass
pasword
guest
access
keyboard
windows
mouse
rules
linux
This is quite an unusual backdoor indeed. It spreads around,
kills Sasser worm and installs security patches. But it still
remains a backdoor.
F-Secure Anti-Virus detects SDBot.MD with the following update:
[FSAV_Database_Version]
Version=2004-05-13_03
Technical Details:
Alexey Podrezov, May 13th, 2004;
Description Updated:
Alexey Podrezov, September 10th, 2004;
F-Secure Corporation
|
