New Autorun.inf worm variant

SonicWALL UTM Research team observed a new Autorun.inf worm variant starting on Monday, January 26, 2009 which has IRC Bot functionality and spreads via network shares or by exploiting windows vulnerabilities.

SonicWALL has received 7 copies of this network aware worm. It performs following activities when executed:

Host level activities

• Disables Task Manager
• Disables Registry Tools
• Disables Notifications for Firewalls and various AntiVirus Tools
• Copies itself to %windir%system32driversSCtri.exe and adds a registry entry for it to run every time system reboots
• Infects USB drive by dropping an autorun.inf file and a copy of itself SCtri.exe so that whenever user connects the infected USB drive on a machine with auto run enabled, the machine will get infected.
• Modifies the tcpip.sys file to conceal the network traffic from being captured locally by well-known sniffers (E.g. wireshark)
• It includes Anti-VM and Anti-Debugging code

Network level activities

• Scans the network for SMB shares with weak passwords and infects them. List of passwords it tries looks like following:
  • server
  • asdfgh
  • asdf
  • password
  • access
  • pass1234
  • administrador
  • 654321
  • 123456
  • 12345
  • 1234
  • root
  • admin
  • administrator
• Also spreads on the network of computers by exploiting Windows vulnerabilities: MS04-011 and MS08-067
• Tries to resolve multiple domains (baldmanpower.[com/net/org] and kutlufamily.com ) and connects to an IRC server on port 80 where it listens for the commands.
• It has the RxBot family IRC bot functionality.

The worm is also known as Exploit:Win32/MS06040.gen [Microsoft], IRC/SdBot trojan [ESET], and Worm/SdBot.735232.1 [AntiVir]

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: SdBot.NW (Worm) signature [798 hits recorded].