Virus

W32/SDBot.MR!worm

Analysis


Specifics
This virus is 32-bit with a packed file size of 82,701 bytes. This virus contains instructions to copy itself to other systems across a network LAN/WAN, and also respond to instructions received from a malicious user after first connecting to an IRC server and channel. When the virus copies itself to systems, the file is saved into the System32 folder as "MSIEx.exe". The file is executed remotely, which then copies itself as "ntsyst32.exe" in the same folder.


Loading At Windows Startup
If virus is run, it will copy itself to the local system into the drivers folder as "ntsyst32.exe" and set a registry entry to load the virus as a service at each Windows startup -

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"Threaded" = ntsyst32.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
"Threaded" = ntsyst32.exe


IRC Connection
The virus attempts to make an IRC server connection with the IP address 81.9.193.91. The connection uses a destination TCP port 4564. The connection is used mainly for communication messages however the open port can be used by a malicious user to send instructions to the virus.


Network Shares Infection Method
The virus may attempt to seek other machines on a network and attempt to penetrate them by using a dictionary attack method to log on to the target system. If a system is vulnerable, the virus attempts to copy itself to the target into these shares, where undefineds is an IP address -

undefineds\\Admin$\\system32\\MSIEx.exe
undefineds\\C$\\winnt\\system32\\MSIEx.exe
undefineds\\C$\\windows\\system32\\MSIEx.exe
undefineds\\Admin$\\MSIEx.exe
undefineds\\ipc$

The virus may then send a notification message to an IRC channel notifying the author of the virus that the specific system has been infected. Depending on the operating system, the virus sends one of these notification messages -
PRIVMSG #iNFAMOUS :[NTScan - Exploited - c$\\sys32] CSendFile: undefineds\r\n
PRIVMSG #iNFAMOUS :[NTScan - Exploited - WinXP sys32] CSendFile: undefineds\r\n
PRIVMSG #iNFAMOUS :[NTScan - Exploited - WinNT sys32] CSendFile: undefineds\r\n
PRIVMSG #iNFAMOUS :[NTScan - Exploited - admin$ sys32] CSendFile: undefineds\r\n

Miscellaneous
The virus contains this string in its unpacked form -

rBot 0.0.2 by Nils


Recommended Action

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
  • Using the FortiGate manager, block internal to external and external to internal access using TCP ports 4564 - it will require defining this port as a service prior to blocking it