Backdoor:Win32/Sdbot.ZA

Backdoor:Win32/Sdbot.ZA is a backdoor Trojan that allows an attacker to take control of an infected computer. When a computer is infected, the Trojan connects to an Internet Relay Chat (IRC) server and joins a channel in order to receive commands from the controlling attacker. This malware can also spread via network shares with weak passwords, and by exploiting a known vulnerability in the RPCSS Service (addressed in Microsoft Security Bulletin MS03-039).

When executed, Sdbot.ZA copies itself to <System>\scvideo.exe and makes the following registry modifications to ensure that this file is executed at each Windows start:

Note: <System> is a variable location and refers to the location of the affected machine's System directory. The default location of the Windows System directory is C:\Windows\System32 (Windows XP, Vista); C:\Winnt\System32 (Windows NT/2000), C:\Windows\System (Windows 95/98/ME).

It also drops the file “oreans32.sys”. This is a legitimate file associated with the Themida software protection system from Oreans Technologies.

Sdbot.ZA attempts to spread to accessible network shares using a simple dictionary attack. It carries the following list of username and passwords:

 

Sdbot.ZA also attempts to spread by exploiting the "Buffer Overrun In RPCSS Service Could Allow Code Execution" vulnerability, addressed in Microsoft Security Bulletin MS03-039.

Sdbot.ZA connects to a particular IRC channel on 'nety.cdmon.org' via port 6667 in order to be controlled by a remote attacker. Using this backdoor a remote attacker can perform the following actions:

Sdbot.ZA attempts to steal CD keys of the following game applications, should they be installed on the affected system:

 

Battlefield 1942
Battlefield 1942 (Road To Rome)
Battlefield 1942 (Secret Weapons of WWII)
Battlefield Vietnam
Black and White
Chrome
Command and Conquer: Generals
Command and Conquer: Generals (Zero Hour)
Command and Conquer: Red Alert
Command and Conquer: Red Alert 2
Command and Conquer: Tiberian Sun
Counter-Strike (Retail)
CustomerNumber
FIFA 2002
FIFA 2003
Freedom Force
Global Operations
Gunman Chronicles
Half-Life
Hidden & Dangerous 2
IGI 2: Covert Strike
Industry Giant 2
James Bond 007: Nightfire
Legends of Might and Magic
Medal of Honor: Allied Assault
Medal of Honor: Allied Assault: Breakthrough
Medal of Honor: Allied Assault: Spearhead
Nascar Racing 2002
Nascar Racing 2003
Need For Speed Hot Pursuit 2
Need For Speed: Underground
Neverwinter Nights
NHL 2002
NHL 2003
NOX
Rainbow Six III RavenShield
RegNumber
Shogun: Total War: Warlord Edition
Software\Red Storm Entertainment\RAVENSHIELD
Software\Westwood\Red Alert
Software\Westwood\Red Alert 2
Software\Westwood\Tiberian Sun
Soldier of Fortune II - Double Helix
Soldiers Of Anarchy
The Gladiators
Unreal Tournament 2003
Unreal Tournament 2004

This malware may also log user keystrokes to %windir%\k3y706.xml.

Sdbot.ZA terminates the following services (mostly associated with security-related applications) on the affected machine:

Sdbot.ZA may delete the files it creates using the batch file 'sdel.bat'.