high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Protection available since | 4 April 2005 05:12:35 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Sdbot-WR is a Windows network worm which attempts to spread via network shares. The worm contains backdoor functions that allows unauthorised remote access to the infected computer via IRC channels while running in the background.
The worm spreads to network shares with weak passwords and also by using the LSASS security exploit (MS04-011) and the RPC-DCOM security exploit (MS03-039).
When run W32/Sdbot-WR copies itself to the Windows System folder as a hidden, read-only, system file named msdrv.exe.
In order to run itself on user logon, the worm performs the following 2 actions:
- creates the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Ms Sound Drivers
msdrv.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Ms Sound Drivers
msdrv.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Ms Sound Drivers
msdrv.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
Ms Sound Drivers
msdrv.exe
- creates a startup service with the following characteristics:
servicename = msdirectx
displayname = msdirectx
imagepath = %SYSTEM%\msdrv.exe
The worm does this by creating the following registry entries:
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSDIRECTX
NextInstance
dword:00000001
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSDIRECTX\0000
Service
msdirectx
Legacy
dword:00000001
ConfigFlags
dword:00000000
Class
LegacyDriver
ClassGUID
(random Class ID)
DeviceDesc
msdirectx
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSDIRECTX\0000\Control
*NewlyCreated*
dword:00000000
ActiveService
msdirectx
HKLM\SYSTEM\CurrentControlSet\Services\msdirectx
Type
dword:00000001
Start
dword:00000003
ErrorControl
dword:00000001
ImagePath
<path to worm>
DisplayName
msdirectx
HKLM\SYSTEM\CurrentControlSet\Services\msdirectx\Enum
0
Root\\LEGACY_MSDIRECTX\\0000
Count
dword:00000001
NextInstance
dword:00000001
HKLM\SYSTEM\CurrentControlSet\Services\msdirectx\Security
Security
<sequence of hexadecimal bytes>
The worm also creates the following registry entries:
HKCU\Software\Microsoft\OLE
Ms Sound Drivers
msdrv.exe
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
Ms Sound Drivers
msdrv.exe
W32/Sdbot-WR also changes the following registry entries from their default Windows values:
from:
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
Y
to:
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
from:
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
dword:00000000
to:
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
dword:00000001
from:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
dword:00000003
to:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
dword:00000004
from:
HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Start
dword:00000002
to:
HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Start
dword:00000004
Once installed, W32/Sdbot-WR will attempt to perform the following actions when instructed to do so by a remote attacker:
log keystrokes
create a SOCKS4 server
perform port scanning on IP addresses
steal computer system hardware information
copy itself to IPC$ network shared folders
download files from the Internet and run them
participate in denial of service (DoS) attacks
login to MS SQL servers and send EXEC commands to open a command shell
The worm may also prevent accesses to anti-virus and security related websites by appending the %SYSTEM%\DRIVERS\ETC\HOSTS file with the following mappings:
127.0.0.1 www.grisoft.com
127.0.0.1 www.trendmicro.com
127.0.0.1 trendmicro.com
127.0.0.1 rads.mcafee.com
127.0.0.1 customer.symantec.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 updates.symantec.com
127.0.0.1 update.symantec.com
127.0.0.1 www.nai.com
127.0.0.1 nai.com
127.0.0.1 secure.nai.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 www.my-etrust.com
127.0.0.1 my-etrust.com
127.0.0.1 mast.mcafee.com
127.0.0.1 ca.com
127.0.0.1 www.ca.com
127.0.0.1 networkassociates.com
127.0.0.1 www.networkassociates.com
127.0.0.1 avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 kaspersky.com
127.0.0.1 www.f-secure.com
127.0.0.1 f-secure.com
127.0.0.1 viruslist.com
127.0.0.1 www.viruslist.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 mcafee.com
127.0.0.1 www.mcafee.com
127.0.0.1 sophos.com
127.0.0.1 www.sophos.com
127.0.0.1 symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 www.symantec.com
W32/Sdbot-WR subsequently terminates various anti-virus, security and Windows system applications and processes and disables access to the Windows Task Manager.
The worm also drops a kernel mode driver file MSDIRECTX.SYS in the %SYSTEM% folder. W32/Sdbot-WR uses this dropped kernel file to hide its own process from the Windows Task Manager and from the Windows Services list so as to provide the worm with stealthing capability.
This kernel driver file MSDIRECTX.SYS is being detected by Sophos as Troj/NtRootK-F.
|
