New Autorun.inf worm variant
SonicWALL UTM Research team observed a new Autorun.inf worm variant starting on Monday, January 26, 2009 which has IRC Bot functionality and spreads via network shares or by exploiting windows vulnerabilities.
SonicWALL has received 7 copies of this network aware worm. It performs following activities when executed:
Host level activities
- Disables Task Manager
- Disables Registry Tools
- Disables Notifications for Firewalls and various AntiVirus Tools
- Copies itself to %windir%system32driversSCtri.exe and adds a registry entry for it to run every time system reboots
- Infects USB drive by dropping an autorun.inf file and a copy of itself SCtri.exe so that whenever user connects the infected USB drive on a machine with auto run enabled, the machine will get infected.
- Modifies the tcpip.sys file to conceal the network traffic from being captured locally by well-known sniffers (E.g. wireshark)
- It includes Anti-VM and Anti-Debugging code
Network level activities
- Scans the network for SMB shares with weak passwords and infects them. List of passwords it tries looks like following:
- Also spreads on the network of computers by exploiting Windows vulnerabilities: MS04-011 and MS08-067
- Tries to resolve multiple domains (baldmanpower.[com/net/org] and kutlufamily.com ) and connects to an IRC server on port 80 where it listens for the commands.
- It has the RxBot family IRC bot functionality.
The worm is also known as Exploit:Win32/MS06040.gen [Microsoft], IRC/SdBot trojan [ESET], and Worm/SdBot.735232.1 [AntiVir]
SonicWALL Gateway AntiVirus provides protection against this malware via GAV: SdBot.NW (Worm) signature [798 hits recorded].