W32/SDBot.AH!worm

description-logoAnalysis

  • Trojan was mass-mailed to numerous email addresses in an attempt to be widespread - it may have been received in an email message suggested to be a patch from Microsoft -

    Subject: Microsoft Security Update
    Body:
    THE MICROSOFT SECURITY UPDATE NEWSLETTER
    October 18, 2003

    The Microsoft Security Update Newsletter for home users
    and small businesses provides information on security-related updates to Microsoft(R) products, as well as virus alerts and resources for more information on security issues.
    __________________________________________________
    SECURITY BULLETIN
    Please review Microsoft Security Bulletin MS03-047: Security Update for Microsoft Windows(R)

    WHY WE ARE ISSUING THIS UPDATE
    A security issue has been identified that could allow an attacker to remotely compromise a computer running Microsoft Windows and gain complete control over it. You can help protect your computer by installing this update from Microsoft.

    PRODUCTS AFFECTED
    Windows 98
    Windows ME
    Windows NT(R) 4.0
    Windows 2000
    Windows XP
    Windows Server(TM) 2003

    Attachment: MS03-047.exe (12904 bytes)

  • The attachment is really a .ZIP file named as .EXE and probably won't execute as distributed

  • If the attached file is saved and renamed to a .ZIP extension then extracted, an embedded binary would result as "ms03-047.exe" dated October 19, 2003 with a file size of 14880 bytes

  • If that file is extracted or run, it might install itself to the local system as "autoupdate.exe" into the undefinedWindowsundefined\System32 folder, and then modify the registry to load at Windows update -

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
    "windowsupdate" = autoupdate.exe w

  • The Trojan will create a Mutex in memory called "mwinamplite" and attempt to connect to an IRC server at the web address "itc.ourmoney.pp.ru" (IP 69.10.144.208) using TCP port 31337

  • When it connects, it will await instructions from a hacker or group of hackers

recommended-action-logoRecommended Action

  • Block access to TCP port 31337
  • Block outbound access (INT -> EXT) to the IP address 69.10.144.208

Telemetry logoTelemetry

Detection Availability

FortiGate
Extended
FortiClient
FortiMail
FortiSandbox
FortiWeb
Web Application Firewall
FortiIsolator
FortiDeceptor
FortiEDR

Version Updates

Date Version Detail
2023-06-27 91.04592
2023-06-27 91.04590
2023-06-27 91.04583
2023-05-08 91.03073
2023-05-07 91.03054
2023-05-06 91.03021
2023-02-22 91.00810
2023-02-21 91.00794
2023-02-16 91.00640
2023-02-14 91.00573