W32/SDBot.FP!worm

description-logoAnalysis

  • Virus is 32 bit with a file size of 112,672 bytes
  • Virus may be introduced to the system from a connected machine on the same network, or from an Internet connection
  • If the virus is run, it will create two script .BAT files into the undefinedTempundefined folder and are run
  • The Temp .BAT files named "b.bat" and "d.bat" use an ECHO instruction to redirect output into two .BAT files in the undefinedWindowsundefined\System32 folder named "Runtime.bat" and "PCTime32.bat" respectivel
  • The temp .BAT file "b.bat" first deletes any existing "Runtime.bat" in the undefinedWindowsundefined\System32 folder, then creates a new one with these instructions -

    - attempt to connect with a networked machine and logon with Admin priviledges
    - stop the service named "navapsvc"
    - create a copy of the virus on the target system as "Microsoft32.exe"

  • The temp .BAT file "d.bat" first deletes any existing "PCTime32.bat" in the undefinedWindowsundefined\System32 folder, then creates a new one with these instructions -

    - attempt to logon to a networked system using the $IPC share, using the user name "e" with a password of "asd#321"
    - make the file "Microsoft32.exe" read only
    - initiate the file "Microsoft32.exe" remotely

  • The virus will load on an infected machine at Windows startup based on a registry modification -

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
    "Microsoft DirectX" = SMSS32.exe

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
    "Microsoft DirectX" = SMSS32.exe

  • The virus may delete the following registry key -

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
    CurrentVersion\Winlogon\
    "Shell" = Explorer.exe

  • The virus will attempt to connect to the IP address 65.110.56.65 with a destination port of 1360

  • The virus will await instructions from a hacker or group of hackers which include some of the following actions -

    - begin a PING or SYN attack flood
    - download a binary
    - scan NetBIOS for potential targets

  • Virus contains the string ".:: SXT v2.04 oWneD By: oWn-X TeAm since 1999 ::." in its code

recommended-action-logoRecommended Action

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
  • Block external to internal (EXT -> INT) communication using TCP port 445

Telemetry logoTelemetry

Detection Availability

FortiClient
Extreme
FortiMail
Extreme
FortiSandbox
Extreme
FortiWeb
Extreme
Web Application Firewall
Extreme
FortiIsolator
Extreme
FortiDeceptor
Extreme
FortiEDR