New Autorun.inf worm variant

January 30, 2009

SonicWALL UTM Research team observed a new Autorun.inf worm variant starting on Monday, January 26, 2009 which has IRC Bot functionality and spreads via network shares or by exploiting windows vulnerabilities.

SonicWALL has received 7 copies of this network aware worm. It performs following activities when executed:

Host level activities

  • Disables Task Manager
  • Disables Registry Tools
  • Disables Notifications for Firewalls and various AntiVirus Tools
  • Copies itself to %windir%system32driversSCtri.exe and adds a registry entry for it to run every time system reboots
  • Infects USB drive by dropping an autorun.inf file and a copy of itself SCtri.exe so that whenever user connects the infected USB drive on a machine with auto run enabled, the machine will get infected.
  • Modifies the tcpip.sys file to conceal the network traffic from being captured locally by well-known sniffers (E.g. wireshark)
  • It includes Anti-VM and Anti-Debugging code

Network level activities

  • Scans the network for SMB shares with weak passwords and infects them. List of passwords it tries looks like following:
    • server
    • asdfgh
    • asdf
    • password
    • access
    • pass1234
    • administrador
    • 654321
    • 123456
    • 12345
    • 1234
    • root
    • admin
    • administrator
  • Also spreads on the network of computers by exploiting Windows vulnerabilities: MS04-011 and MS08-067
  • Tries to resolve multiple domains (baldmanpower.[com/net/org] and ) and connects to an IRC server on port 80 where it listens for the commands.
  • It has the RxBot family IRC bot functionality.

The worm is also known as Exploit:Win32/MS06040.gen [Microsoft], IRC/SdBot trojan [ESET], and Worm/SdBot.735232.1 [AntiVir]

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: SdBot.NW (Worm) signature [798 hits recorded].