Content

W32/Sdbot.worm.gen.by

Type
Virus
SubType
Generic Worm
Discovery Date
04/21/2005
Length
Minimum DAT
4474 (04/21/2005)
Updated DAT
4991 (03/23/2007)
Minimum Engine
5.1.00
Description Added
04/21/2005
Description Modified
12/30/2005 10:38 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

Due to the large volume of members of this virus family, the size of extra.dats required to detect these is very large. AVERT have therefore split the detection into multiple drivers although the behavior of all members is broadly similar.

Please review the W32/Sdbot.worm.gen description for related information.

Details:

Note: Multiple variants of W32/SDbot.worm.gen.by exist.  The details below pertain to one of these variants.  Some details (such as file-names and registry entries) may vary slightly, so this description is a guide.

Infected hosts will issue DNS queries to the following domain(s):

  • bbjj.househot.com

System Changes

Files Added

  • %WINDIR% \system32\rpcsvc.exe

Registry

The following registry keys are created:

  • hkey_local_machine\software\policies\microsoft\windowsfirewall
    \standardprofile
  • hkey_local_machine\software\microsoft\security center
    \antivirusoverride="1"
  • hkey_local_machine\software\policies\microsoft\windowsfirewall
    \standardprofile\enablefirewall="0"
  • hkey_local_machine\software\policies\microsoft\windowsfirewall
    \domainprofile\enablefirewall="0"
  • hkey_local_machine\software\policies\microsoft\windowsfirewall
    hkey_local_machine\software\microsoft\security center
    \firewalldisablenotify="1"
  • hkey_local_machine\software\policies\microsoft\windowsfirewall
    \domainprofile
  • hkey_local_machine\software\microsoft\security center
    hkey_local_machine\software\microsoft\security center
    \antivirusdisablenotify="1"
  • hkey_local_machine\software\microsoft\security center
    \firewalldisableoverride="1"
  • hkey_local_machine\system\currentcontrolset\services\rpcsvc
    \security
  • hkey_local_machine\system\currentcontrolset\services\rpcsvc
    \security\security="(binary registry data)
  • hkey_local_machine\system\currentcontrolset\services\rpcsvc
    \description="Provides reliability and uptime monitoring for
    components that use the RPC subsystem. If this service is
    stopped, RPC communication between clients and servers on the
    network will be impaired. If this service is disabled, any
    services that explicitly depe"
  • hkey_local_machine\system\currentcontrolset\services\rpcsvc
    \displayname="Windows Remote Procedure Call Monitoring Service"
  • hkey_local_machine\system\currentcontrolset\services\rpcsvc\start
    ="2"
  • hkey_local_machine\system\currentcontrolset\services\rpcsvc
    \failureactions="(binary registry data)
  • hkey_local_machine\system\currentcontrolset\services\rpcsvc
    \imagepath="%WINDIR% \System32\rpcsvc.exe"
  • hkey_local_machine\system\currentcontrolset\services\rpcsvc
    \errorcontrol="0"
  • hkey_local_machine\system\currentcontrolset\services\rpcsvc
    \objectname="LocalSystem"
  • hkey_local_machine\system\currentcontrolset\services\rpcsvc
    hkey_local_machine\system\currentcontrolset\services\rpcsvc\type
    ="32"

The following registry keys are written to:

  • hkey_local_machine\system\currentcontrolset\services\lanmanserver
    \parameters\autoshareserver="0"
  • hkey_local_machine\system\currentcontrolset\control\lsa
    \restrictanonymoussam="1"
  • hkey_local_machine\system\currentcontrolset\control\lsa
    \restrictanonymous="1"
  • hkey_local_machine\system\currentcontrolset\services\lanmanserver
    \parameters\autosharewks="0"
  • hkey_local_machine\software\microsoft\ole\enabledcom="110"
    hkey_local_machine\system\currentcontrolset\services\sharedaccess
    \start="4"
  • hkey_local_machine\system\currentcontrolset\enum\root
    \legacy_rpcsvc\0000\control\activeservice="rpcsvc"

Symptoms

The application creates the following network connection(s):

  • rpcsvc.exe server:bbjj.househot.com port:18067

Method of Infection

The worm propagates via accessible or poorly-secured nework shares.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

  • Backdoor.Win32.SdBot.afz (Kaspersky)
  • W32.Spybot.Worm (Symantec)
  • WORM_RBOT.GEN (Trend)

Characteristics

Characteristics -

Due to the large volume of members of this virus family, the size of extra.dats required to detect these is very large. AVERT have therefore split the detection into multiple drivers although the behavior of all members is broadly similar.

Please review the W32/Sdbot.worm.gen description for related information.

Details:

Note: Multiple variants of W32/SDbot.worm.gen.by exist.  The details below pertain to one of these variants.  Some details (such as file-names and registry entries) may vary slightly, so this description is a guide.

Infected hosts will issue DNS queries to the following domain(s):

  • bbjj.househot.com

System Changes

Files Added

  • %WINDIR% \system32\rpcsvc.exe

Registry

The following registry keys are created:

  • hkey_local_machine\software\policies\microsoft\windowsfirewall
    \standardprofile
  • hkey_local_machine\software\microsoft\security center
    \antivirusoverride="1"
  • hkey_local_machine\software\policies\microsoft\windowsfirewall
    \standardprofile\enablefirewall="0"
  • hkey_local_machine\software\policies\microsoft\windowsfirewall
    \domainprofile\enablefirewall="0"
  • hkey_local_machine\software\policies\microsoft\windowsfirewall
    hkey_local_machine\software\microsoft\security center
    \firewalldisablenotify="1"
  • hkey_local_machine\software\policies\microsoft\windowsfirewall
    \domainprofile
  • hkey_local_machine\software\microsoft\security center
    hkey_local_machine\software\microsoft\security center
    \antivirusdisablenotify="1"
  • hkey_local_machine\software\microsoft\security center
    \firewalldisableoverride="1"
  • hkey_local_machine\system\currentcontrolset\services\rpcsvc
    \security
  • hkey_local_machine\system\currentcontrolset\services\rpcsvc
    \security\security="(binary registry data)
  • hkey_local_machine\system\currentcontrolset\services\rpcsvc
    \description="Provides reliability and uptime monitoring for
    components that use the RPC subsystem. If this service is
    stopped, RPC communication between clients and servers on the
    network will be impaired. If this service is disabled, any
    services that explicitly depe"
  • hkey_local_machine\system\currentcontrolset\services\rpcsvc
    \displayname="Windows Remote Procedure Call Monitoring Service"
  • hkey_local_machine\system\currentcontrolset\services\rpcsvc\start
    ="2"
  • hkey_local_machine\system\currentcontrolset\services\rpcsvc
    \failureactions="(binary registry data)
  • hkey_local_machine\system\currentcontrolset\services\rpcsvc
    \imagepath="%WINDIR% \System32\rpcsvc.exe"
  • hkey_local_machine\system\currentcontrolset\services\rpcsvc
    \errorcontrol="0"
  • hkey_local_machine\system\currentcontrolset\services\rpcsvc
    \objectname="LocalSystem"
  • hkey_local_machine\system\currentcontrolset\services\rpcsvc
    hkey_local_machine\system\currentcontrolset\services\rpcsvc\type
    ="32"

The following registry keys are written to:

  • hkey_local_machine\system\currentcontrolset\services\lanmanserver
    \parameters\autoshareserver="0"
  • hkey_local_machine\system\currentcontrolset\control\lsa
    \restrictanonymoussam="1"
  • hkey_local_machine\system\currentcontrolset\control\lsa
    \restrictanonymous="1"
  • hkey_local_machine\system\currentcontrolset\services\lanmanserver
    \parameters\autosharewks="0"
  • hkey_local_machine\software\microsoft\ole\enabledcom="110"
    hkey_local_machine\system\currentcontrolset\services\sharedaccess
    \start="4"
  • hkey_local_machine\system\currentcontrolset\enum\root
    \legacy_rpcsvc\0000\control\activeservice="rpcsvc"

Symptoms

Symptoms -

The application creates the following network connection(s):

  • rpcsvc.exe server:bbjj.househot.com port:18067

Method of Infection

Method of Infection -

The worm propagates via accessible or poorly-secured nework shares.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A