TrendLabs Malware Blog
Glossary
TrendWatch
TrendLabs Twitter
WORM_SDBOT.AKJ
Overview
Solution

Malware type: Worm

Aliases: Backdoor.Win32.Rbot.sh (Kaspersky), Generic.k (McAfee), W32.Spybot.KEG (Symantec), Worm/Rbot.155648.2 (Avira), Backdoor:Win32/Rbot.FN (Microsoft)

In the wild: No

Language: English

Platform: Windows 95, 98, ME, NT, 2000, XP

Overall risk rating:

Reported infections:

Damage potential:

 High

Distribution potential:

 High

Description: 

This worm arrives as P6.EXE on target machines. It spreads by dropping a copy of itself in accessible list of network shares. If the said shares are inaccessible, it uses a hardcoded list of user names and passwords to gain access.

It may further propagate by taking advantage of machines vulnerable to the following Windows exploits:

  • Buffer Overflow in SQL Server 2000, which is a vulnerability that allows a low-level user to run, delete, insert or update Web tasks. In turn, an attacker who is able to authenticate to a SQL server may do the same actions, and run already created Web tasks in the context of the creator of that task. More information on this vulnerability is found in Microsoft Security Bulletin MS02-061.

  • The RPC/DCOM vulnerability, which allows an attacker to gain full access and execute any code on a target machine by sending a malformed packet to the DCOM service. It uses the RPC TCP port 135. More information on this vulnerability is found in Microsoft Security Bulletin MS03-026.

  • The IIS/WebDAV vulnerability, which enables arbitrary codes to execute on the WebDAV server by also sending a malformed request packet. This exploit is a service related to the HTTP on port 80. More information about this vulnerability is found in Microsoft Security Bulletin MS03-007.

  • The Windows LSASS vulnerability, which is a buffer overrun that allows remote code execution and enables a malicious user to gain full control of the affected system. This vulnerability is discussed in detail in Microsoft Bulletin MS04-011 and Trend Micro's Vulnerability Description for MS04-011.

This worm connects to an IRC server and joins a specific channel. Once connected, it executes a list of commands, from a remote malicious user, locally on affected machines. It also terminates a list of other malware's processes. Moreover, it steals CD keys of popular games installed on affected machines.

For additional information about this threat, see:
Solution
Technical Details

Description created: Jan. 29, 2005 12:10:06 AM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.