Anilrgowda

Risk Assessment - Home Users: Low - Corporate Users: Low Date Discovered: 12/20/2006 Date Added: 12/21/2006 Origin: N/A Length: 180,736 bytes Type: Virus SubType: Generic Worm DAT Required: 4924 Virus Characteristics

Sdbot worm filenames vary considerably, but regularly try to look similar to other legitimate Windows executable names, so that a user viewing the Task Manager might assume that the names listed are valid.
In this case, copies of the worm have been seen using names such as "crcss.exe" (a variation of the legitimate Windows process "csrss.exe"). It is usual for them to create a value in the registry to ensure the worm is launched at each system boot. Keys most often used are:

• HKEY_LOCAL_MACHINE\Software\Windows\CurrentVersion \Run
• HKEY_LOCAL_MACHINE\Software\Windows\CurrentVersion \RunServices

Sdbot worms typically spread via network shares and create a remote access point for attackers to exploit. Operating system vulnerabilities may also be used as a means to propagate.

Indications of Infection

Manipulation of administrative shares (generally disabling them on an infected system) and unauthorized outbound IRC traffic are hallmarks of Sdbot worm behavior. In this case, the presence of processes with legitimate appearing names (similar to common Windows processes) running on the host system may be an initial indicator.

Method of Infection

The exact method of propagation varies between Sdbot worm variants. However, the following characteristics are typical: Share Propagation
Sdbot worms often propagate via accessible or poorly-secured network shares, and some variants are intended to take advantage of high profile exploits:

• DCOM RPC vulnerability (MS03-026) -Microsoft Security Bulletin MS03-026
• WEBDAV vulnerability (MS03-007) - Microsoft Security Bulletin MS03-007
• LSASS vulnerability (MS04-011) - Microsoft Security Bulletin MS04-011: Security Update for Microsoft Windows (835732)
• ASN.1 vulnerability (MS04-007) - Microsoft Security Bulletin MS04-007
• Workstation Service vulnerability (MS03-049) - Microsoft Security Bulletin MS03-049
• PNP vulnerability (MS05-039) -Microsoft Security Bulletin MS05-039: Vulnerability in Plug and Play Could Allow Remote Code Execution and Elevation of Privilege (899588)
• Imail IMAPD LOGIN username vulnerability - 16804: Ipswitch IMail IMAP LOGIN username Remote Overflow
• Cisco IOS HTTP Authorization Vulnerability - Cisco Security Advisory:*IOS HTTP Authorization Vulnerability

When attempting to spread through default administrative shares, for example:

• PRINT$
• E$
• D$
• C$
• ADMIN$
• IPC$

Some variants also carry a list of poor username/password combinations to gain access to these shares.
Weak Passwords and Configurations
Sdbot worms are known to probe MS SQL servers for weak administrator passwords and configurations. When successful, the virus could execute remote system commands via the SQL server access.


Removal Instructions

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination. Additional Windows ME/XP removal considerations