Virus Profile: W32/Sdbot.worm.gen.z
Monday, November 12, 2007
Recent Threats
Risk Assessment
- Home Users: Low
- Corporate Users: Low
Date Discovered: 12/15/2004
Date Added: 9/22/2004
Origin: N/A
Length: Varies
Type: Virus
SubType: Generic Worm
DAT Required: 4394
Virus Characteristics
Due to the large volume of members of this virus family, the size of extra.dats required to detect these is very large. AVERT have therefore split the detection into multiple drivers although the behavior of all members is broadly similar.
Please review the W32/Sdbot.worm.gen description.
The W32/Sdbot.worm.gen.z exhibits the following behavior:
* The worm file is eXPressor protected
* Mlqm.exe process will listen for TCP communication on port 3032
* Issues a DNS query to the following domain: r3x.ma7d.com
Files Added
* %WINDIR%\system32\dllcache\mlqm.exe
The worm attempts communication with a server for further instructions. A remote attacker can use the worm to perform various tasks:
Gather system information (CPU, Driver Space, RAM, OS Version, User name, Computer name, IP Address)
SYN Flood others
Kill processes
Download files
Execute files
At the time this was analyzed the worm attempted to SYN Flood various addresses provided by the server.
Indications of Infection
Presence of %WINDIR%\system32\dllcache\mlqm.exe
Unexpected TCP communication on port 3032
Method of Infection
The exact method of propagation will vary between variants. However, the following characteristics are typical:
Share Propagation
*
The worm propagates via accessible or poorly-secured network shares, and some variants are intended to take advantage of high profile exploits:
* DCOM RPC vulnerability (MS03-026) -http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx
* LSASS vulnerability (MS04-011) - http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
Removal Instructions
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Risk Assessment
- Home Users: Low
- Corporate Users: Low
Date Discovered: 12/15/2004
Date Added: 9/22/2004
Origin: N/A
Length: Varies
Type: Virus
SubType: Generic Worm
DAT Required: 4394
Virus Characteristics
Due to the large volume of members of this virus family, the size of extra.dats required to detect these is very large. AVERT have therefore split the detection into multiple drivers although the behavior of all members is broadly similar.
Please review the W32/Sdbot.worm.gen description.
The W32/Sdbot.worm.gen.z exhibits the following behavior:
* The worm file is eXPressor protected
* Mlqm.exe process will listen for TCP communication on port 3032
* Issues a DNS query to the following domain: r3x.ma7d.com
Files Added
* %WINDIR%\system32\dllcache\mlqm.exe
The worm attempts communication with a server for further instructions. A remote attacker can use the worm to perform various tasks:
Gather system information (CPU, Driver Space, RAM, OS Version, User name, Computer name, IP Address)
SYN Flood others
Kill processes
Download files
Execute files
At the time this was analyzed the worm attempted to SYN Flood various addresses provided by the server.
Indications of Infection
Presence of %WINDIR%\system32\dllcache\mlqm.exe
Unexpected TCP communication on port 3032
Method of Infection
The exact method of propagation will vary between variants. However, the following characteristics are typical:
Share Propagation
*
The worm propagates via accessible or poorly-secured network shares, and some variants are intended to take advantage of high profile exploits:
* DCOM RPC vulnerability (MS03-026) -http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx
* LSASS vulnerability (MS04-011) - http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
Removal Instructions
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
