New Autorun.inf worm variant (Jan 30, 2009)

By

SonicWALL UTM Research team observed a new Autorun.inf worm variant starting on Monday, January 26, 2009 which has IRC Bot functionality and spreads via network shares or by exploiting windows vulnerabilities.

SonicWALL has received 7 copies of this network aware worm. It performs following activities when executed:

Host level activities

  • Disables Task Manager
  • Disables Registry Tools
  • Disables Notifications for Firewalls and various AntiVirus Tools
  • Copies itself to %windir%system32driversSCtri.exe and adds a registry entry for it to run every time system reboots
  • Infects USB drive by dropping an autorun.inf file and a copy of itself SCtri.exe so that whenever user connects the infected USB drive on a machine with auto run enabled, the machine will get infected.
  • Modifies the tcpip.sys file to conceal the network traffic from being captured locally by well-known sniffers (E.g. wireshark)
  • It includes Anti-VM and Anti-Debugging code

Network level activities

  • Scans the network for SMB shares with weak passwords and infects them. List of passwords it tries looks like following:
    • server
    • asdfgh
    • asdf
    • password
    • access
    • pass1234
    • administrador
    • 654321
    • 123456
    • 12345
    • 1234
    • root
    • admin
    • administrator
  • Also spreads on the network of computers by exploiting Windows vulnerabilities: MS04-011 and MS08-067
  • Tries to resolve multiple domains (baldmanpower.[com/net/org] and kutlufamily.com ) and connects to an IRC server on port 80 where it listens for the commands.
  • It has the RxBot family IRC bot functionality.

The worm is also known as Exploit:Win32/MS06040.gen [Microsoft], IRC/SdBot trojan [ESET], and Worm/SdBot.735232.1 [AntiVir]

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: SdBot.NW (Worm) signature [798 hits recorded].

screenshot

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.