[virusinfo] W32/Sdbot-WQ

• From: "Mike" <mikebike@xxxxxxxxx>
• To: virusinfo@xxxxxxxxxxxxx
• Date: Thu, 31 Mar 2005 10:33:35 -0800

From; Sophos Alert System:

Name: W32/Sdbot-WQ
Type: Win32 worm
Date: 31 March 2005

A virus identity (IDE) file which provides protection is
available now from the Sophos website, and will be incorporated
into the May 2005 (3.93) release of Sophos Anti-Virus.

Customers using EM Library, PureMessage or any of our Sophos
small business solutions will be automatically protected at
their next scheduled update.

At the time of writing, Sophos has received a small number of
reports of this worm from the wild.


Information about W32/Sdbot-WQ can be found at:
http://www.sophos.com/virusinfo/analyses/w32sdbotwq.html

W32/Sdbot-WQ is a Windows network worm which attempts to spread via network 
shares. The worm contains backdoor functions that allows unauthorised remote 
access to the infected computer via IRC channels while running in the 
background. 
The worm spreads to network shares with weak passwords and also by using the 
LSASS security exploit (MS04-011) and the RPC-DCOM security exploit (MS03-039). 
When run W32/Sdbot-WQ moves itself to the Windows System folder as a hidden, 
read-only, system file named winsvcmgr.exe. 
The worm then creates a service with the following characteristics: 
servicename = winmdgr
displayname = Microsoft Service Manager
imagepath = %WINDOWS%\winsvcmgr.exe
description = Monitors Windows Services And Processes 
The worm does this by creating the following registry entries: 
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINMDGR\0000
Class
LegacyDriver 
ClassGUID
(random ClassID) 
ConfigFlags
dword:00000000 
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINMDGR\0000\Control
*NewlyCreated*
dword:00000000 
ActiveService
winmdgr 
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINMDGR\0000
DeviceDesc
Microsoft Service Manager 
Legacy
dword:00000001 
Service
winmdgr 
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINMDGR
NextInstance
dword:00000001 
HKLM\SYSTEM\CurrentControlSet\Services\winmdgr
Description
Moniters Windows Services And Processes 
DisplayName
Microsoft Service Manager 
HKLM\SYSTEM\CurrentControlSet\Services\winmdgr\Enum
0
Root\\LEGACY_WINMDGR\\0000 
Count
dword:00000001 
NextInstance
dword:00000001 
HKLM\SYSTEM\CurrentControlSet\Services\winmdgr
ErrorControl
dword:00000000 
FailureActions
<sequence of hex bytes> 
ImagePath
<path to worm> 
ObjectName
LocalSystem 
HKLM\SYSTEM\CurrentControlSet\Services\winmdgr\Security
Security
<sequence of hex bytes> 
HKLM\SYSTEM\CurrentControlSet\Services\winmdgr
Start
dword:00000002 
Type
dword:00000110 
HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
Start
dword:00000004 
The worm also disables the following related Microsoft processes: 
Microsoft Firewall
Microsoft Windows XP Update to Service Pack2
Microsoft Security Center updates
Microsoft AntiVirus
Microsoft Antivirus Notifications
Microsoft Automatic Update 
W32/Sdbot-WQ does this by creating the following registry entries: 
HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusDisableNotify
dword:00000001 
AntiVirusOverride
dword:00000001 
FirewallDisableNotify
dword:00000001 
FirewallOverride
dword:00000001 
UpdatesDisableNotify
dword:00000001 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update
AUOptions
dword:00000001 
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall
dword:00000000 
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
EnableFirewall
dword:00000000 
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
dword:00000001 
The worm also creates the following registry entries: 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions
Installed Time
<Time> 
Record
<random number> 
MeltMe
<path to worm> 
The worm also disables hidden network shares on the infected computer by 
creating the following registry entries: 
HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareServer
dword:00000000 
AutoShareWks
dword:00000000 
HKLM\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters
AutoShareServer
dword:00000000 
AutoShareWks
dword:00000000 
Once installed, W32/Sdbot-WQ will attempt to participate in denial of service 
(DoS) attacks, download and run files from the internet, terminate processes, 
create a SOCKS4 server, perform speed tests on the infected machine by 
connecting to a list of prefdefined websites, login to MS SQL servers and send 
EXEC commands to open a command shell when instructed to do so by a remote 
attacker. 
The worm may try to exploit backdoors and vulnerabilites used by the MyDoom 
family of worms. 
W32/Sdbot-WQ also drops a kernel mode driver file haxdrv.sys in the %SYSTEM% 
folder. This file is being detected by Sophos as Troj/Rootkit-U. 
 

This IDE file also includes detection for:

Troj/Bancban-CA
http://www.sophos.com/virusinfo/analyses/trojbancbanca.html
Troj/Haxdoor-X
http://www.sophos.com/virusinfo/analyses/trojhaxdoorx.html
WM97/Acened-A
http://www.sophos.com/virusinfo/analyses/wm97aceneda.html
Troj/Dloader-KN
http://www.sophos.com/virusinfo/analyses/trojdloaderkn.html
Troj/LegMir-AB
http://www.sophos.com/virusinfo/analyses/trojlegmirab.html
Dial/Platform-A
http://www.sophos.com/virusinfo/analyses/dialplatforma.html
Troj/Dloader-KF
http://www.sophos.com/virusinfo/analyses/trojdloaderkf.html
Troj/Dloader-KH
http://www.sophos.com/virusinfo/analyses/trojdloaderkh.html
Troj/Haxdoor-CN
http://www.sophos.com/virusinfo/analyses/trojhaxdoorcn.html
Troj/Agent-CU
http://www.sophos.com/virusinfo/analyses/trojagentcu.html
Troj/Dloader-KK
http://www.sophos.com/virusinfo/analyses/trojdloaderkk.html

Download the IDE file from:
http://www.sophos.com/downloads/ide/sdbot-wq.ide

Download all the IDE files available for the current version of 
Sophos Anti-Virus in a single compressed file. The file is
available in two formats:

Zip file:
http://www.sophos.com/downloads/ide/ides.zip

Self-extracting file:
http://www.sophos.com/downloads/ide/ides.exe

Read about how to use IDE files at
http://www.sophos.com/downloads/ide/using.html

*********** MIKE"S REPLY SEPARATOR  ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages  http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance  and OWTA Charter Member 

Other related posts:

• » [virusinfo] W32/Sdbot-WQ

1. Home
2. virusinfo
3. Archive
4. 03-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---