|
|
SDBot.NDIS Worm Information
| Name: |
SDBot.NDIS |
| Category: |
Worm |
| Advice: |
Remove |
| Risk: |
Severe Risk
Severe threats typically are remotely exploitable vulnerabilities, which can lead to system compromise. Successful exploitation does not normally require any interaction and exploits are in the wild. There exists a high possibility of potential system damage or security flaw. Attacker has complete control over your computer or install new software on your machine. |
| Description:
|
SDBot is the name of a family of remote access tools, also known as backdoors or worms, used by hackers to control a machine without the owner's knowledge.
This memory-resident worm drops a copy of itself as NDIS.EXE in the Windows system folder.
HKEY_LOCAL_MACHINESoftwareMicrosoftWindows
CurrentVersionRun
NDIS Adapter = "ndis.exe"
HKEY_LOCAL_MACHINESoftwareMicrosoftWindows
CurrentVersionRunOnce
NDIS Adapter = "ndis.exe"
HKEY_LOCAL_MACHINESoftwareMicrosoftWindows
CurrentVersionRunServices
NDIS Adapter = "ndis.exe"
HKEY_CURRENT_USERSoftwareMicrosoftWindows
CurrentVersionRun
NDIS Adapter = "ndis.exe"
HKEY_CURRENT_USERSoftwareMicrosoftWindows
CurrentVersionRunOnce
NDIS Adapter = "ndis.exe"
It also creates the following registry entries, which are added as default registry entries, whenever a new user account is created:
HKEY_USERS.DEFAULTSoftwareMicrosoftWindows
CurrentVersionRunOnce
NDIS Adapter = "ndis.exe"
HKEY_USERS.DEFAULTSoftwareMicrosoftWindows
CurrentVersionRun
NDIS Adapter = "ndis.exe"
The worm also registers it self as a service using the name NDIS Adapter. This service adds several entries under the following registry keys:
HKEY_LOCAL_MACHINESystemCurrentControlSetServices
NDIS TCP Layer Transport Device
HKEY_LOCAL_MACHINESystemCurrentControlSetEnumRoot
LEGACY_NDIS_TCP_LAYER_TRANSPORT_DEVICE
Network Propagation
This worm is capable of spreading across networks by exploiting the Windows LSASS vulnerability. This is a buffer overrun that allows remote code execution and enables an attacker to gain full control of the affected system.
More information on this vulnerability can be found in the following Web pages:
MS04-011_MICROSOFT_WINDOWS
Microsoft Security Bulletin MS04-011
This worm is also capable of spreading by scanning network shares on random IP addresses. If it can gain full access rights to a remote system, it drops a copy of itself into a shared folder.
It may also use the backdoor capabilities of other malware to propagate.
Backdoor Capabilities
This worm connects to an Internet Relay Chat (IRC) server and joins a specific channel, where it waits for malicious commands coming from a remote user. It executes the commands locally on an affected machine, providing the malicious user virtual control over the system. The commands that it may receive from the remote user include the following:
Add or delete registry
Add or delete service
Connect to HTTP or FTP address
Delete shares
Enable or disable DCOM
Execute file
Find emails
Find files
Get CD keys
Get system information (e.g., CPU, RAM, OS, etc.)
List and terminate processes
Log off, shut down or restart system
Perform distributed denial of service (DDoS) flood attack
Scan network
Send file via IRC DCC
Start port redirect
Start proxy server
Information Theft
This worm steals Microsoft Windows product ID. It also steals CD keys from the following game applications:
Battlefield 1942
Battlefield 1942: Secret Weapons Of WWII
Battlefield 1942: The Road To Rome
Battlefield 1942: Vietnam
Black and White
Command and Conquer: Generals
Command and Conquer: Generals: Zero Hour
Command and Conquer: Red Alert2
Command and Conquer: Tiberian Sun
Counter-Strike
FIFA 2002
FIFA 2003
Freedom Force
Global Operations
Gunman Chronicles
Half-Life
Hidden and Dangerous 2
IGI2: Covert Strike
Industry Giant 2
James Bond 007: Nightfire
Medal of Honor: Allied Assault
Medal of Honor: Allied Assault: Breakthrough
Medal of Honor: Allied
|
| Signatures:
|
process: windows.exe: MD5 Hash: a61d2042bb8951cd443.. |
| Type: |
Worm - A worm is program that propagates by attacking other computers and copying itself to them. Worms may replace files, but do not insert themselves into files (as viruses do). |
Top Worm Visited Pages:
Wukill.mstray - Alias: Win32/HLLW.Wukill - 285 visits
Rbot - Alias: Backdoor.Rbot.Gen - 273 visits
SDBot - Alias: Wootbot.gen, Wootbot, Donk, spybot, Agobot - 225 visits
Trojan.Downloader.winstall - 179 visits
Worm.Brit.e - Alias: VBS/Chick.e@M virus - 86 visits
Worm.P2P.SpyBot.gen - 54 visits
Gaobot - 43 visits
Worm.Trilissa.e - 41 visits
Win32/Darby.O - 40 visits
JS.Lame - Alias: HTML.Lame - 39 visits
Random Worm Pages:
Worm.Std.c - Alias: W32/HLLW.Std.C, W32/STD.worm.gen
WootBot.windows
IRC.Worm.Overnuke.a - Alias: IRC/Overnuke, megamirc
Delf.csrss
IRC.Worm.Junkboat - Alias: Bat.Junkboat, VBS/Generic@MM
Worm.Dexter.a - Alias: W32/Dexte, W32/Dexter.a
MSBlast - Alias: W32.Lovsan, W32/Blaster, Win32.Lovesan, Win32.poza
Worm.Kitro.a - Alias: W32/Kitro@MM
W32.Hunch - Alias: W32.Hunch.E@mm, W32.HLLW.Dejas
Worm.Kondrik.a
|
|
