From; Sophos Alert System: Name: W32/Sdbot-WQ Type: Win32 worm Date: 31 March 2005 A virus identity (IDE) file which provides protection is available now from the Sophos website, and will be incorporated into the May 2005 (3.93) release of Sophos Anti-Virus. Customers using EM Library, PureMessage or any of our Sophos small business solutions will be automatically protected at their next scheduled update. At the time of writing, Sophos has received a small number of reports of this worm from the wild. Information about W32/Sdbot-WQ can be found at: http://www.sophos.com/virusinfo/analyses/w32sdbotwq.html W32/Sdbot-WQ is a Windows network worm which attempts to spread via network shares. The worm contains backdoor functions that allows unauthorised remote access to the infected computer via IRC channels while running in the background. The worm spreads to network shares with weak passwords and also by using the LSASS security exploit (MS04-011) and the RPC-DCOM security exploit (MS03-039). When run W32/Sdbot-WQ moves itself to the Windows System folder as a hidden, read-only, system file named winsvcmgr.exe. The worm then creates a service with the following characteristics: servicename = winmdgr displayname = Microsoft Service Manager imagepath = %WINDOWS%\winsvcmgr.exe description = Monitors Windows Services And Processes The worm does this by creating the following registry entries: HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINMDGR\0000 Class LegacyDriver ClassGUID (random ClassID) ConfigFlags dword:00000000 HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINMDGR\0000\Control *NewlyCreated* dword:00000000 ActiveService winmdgr HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINMDGR\0000 DeviceDesc Microsoft Service Manager Legacy dword:00000001 Service winmdgr HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINMDGR NextInstance dword:00000001 HKLM\SYSTEM\CurrentControlSet\Services\winmdgr Description Moniters Windows Services And Processes DisplayName Microsoft Service Manager HKLM\SYSTEM\CurrentControlSet\Services\winmdgr\Enum 0 Root\\LEGACY_WINMDGR\\0000 Count dword:00000001 NextInstance dword:00000001 HKLM\SYSTEM\CurrentControlSet\Services\winmdgr ErrorControl dword:00000000 FailureActions <sequence of hex bytes> ImagePath <path to worm> ObjectName LocalSystem HKLM\SYSTEM\CurrentControlSet\Services\winmdgr\Security Security <sequence of hex bytes> HKLM\SYSTEM\CurrentControlSet\Services\winmdgr Start dword:00000002 Type dword:00000110 HKLM\SYSTEM\CurrentControlSet\Services\wscsvc Start dword:00000004 The worm also disables the following related Microsoft processes: Microsoft Firewall Microsoft Windows XP Update to Service Pack2 Microsoft Security Center updates Microsoft AntiVirus Microsoft Antivirus Notifications Microsoft Automatic Update W32/Sdbot-WQ does this by creating the following registry entries: HKLM\SOFTWARE\Microsoft\Security Center AntiVirusDisableNotify dword:00000001 AntiVirusOverride dword:00000001 FirewallDisableNotify dword:00000001 FirewallOverride dword:00000001 UpdatesDisableNotify dword:00000001 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update AUOptions dword:00000001 HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile EnableFirewall dword:00000000 HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile EnableFirewall dword:00000000 HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotAllowXPSP2 dword:00000001 The worm also creates the following registry entries: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions Installed Time <Time> Record <random number> MeltMe <path to worm> The worm also disables hidden network shares on the infected computer by creating the following registry entries: HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters AutoShareServer dword:00000000 AutoShareWks dword:00000000 HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters AutoShareServer dword:00000000 AutoShareWks dword:00000000 Once installed, W32/Sdbot-WQ will attempt to participate in denial of service (DoS) attacks, download and run files from the internet, terminate processes, create a SOCKS4 server, perform speed tests on the infected machine by connecting to a list of prefdefined websites, login to MS SQL servers and send EXEC commands to open a command shell when instructed to do so by a remote attacker. The worm may try to exploit backdoors and vulnerabilites used by the MyDoom family of worms. W32/Sdbot-WQ also drops a kernel mode driver file haxdrv.sys in the %SYSTEM% folder. This file is being detected by Sophos as Troj/Rootkit-U. This IDE file also includes detection for: Troj/Bancban-CA http://www.sophos.com/virusinfo/analyses/trojbancbanca.html Troj/Haxdoor-X http://www.sophos.com/virusinfo/analyses/trojhaxdoorx.html WM97/Acened-A http://www.sophos.com/virusinfo/analyses/wm97aceneda.html Troj/Dloader-KN http://www.sophos.com/virusinfo/analyses/trojdloaderkn.html Troj/LegMir-AB http://www.sophos.com/virusinfo/analyses/trojlegmirab.html Dial/Platform-A http://www.sophos.com/virusinfo/analyses/dialplatforma.html Troj/Dloader-KF http://www.sophos.com/virusinfo/analyses/trojdloaderkf.html Troj/Dloader-KH http://www.sophos.com/virusinfo/analyses/trojdloaderkh.html Troj/Haxdoor-CN http://www.sophos.com/virusinfo/analyses/trojhaxdoorcn.html Troj/Agent-CU http://www.sophos.com/virusinfo/analyses/trojagentcu.html Troj/Dloader-KK http://www.sophos.com/virusinfo/analyses/trojdloaderkk.html Download the IDE file from: http://www.sophos.com/downloads/ide/sdbot-wq.ide Download all the IDE files available for the current version of Sophos Anti-Virus in a single compressed file. The file is available in two formats: Zip file: http://www.sophos.com/downloads/ide/ides.zip Self-extracting file: http://www.sophos.com/downloads/ide/ides.exe Read about how to use IDE files at http://www.sophos.com/downloads/ide/using.html *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member