Spyware Warrior Spyware Warrior
Help with Spyware, Hijacking & Other Internet Nuisances
 
FAQ :: Search :: Memberlist :: Usergroups :: Register
Profile :: Log in to check your private messages :: Log in

New SDBot Internet worm variant can install rootkit

 
Post new topic   Reply to topic    Spyware Warrior Forum Index -> Virus, Worm &Trojan Alerts
View previous topic :: View next topic  
Author Message
suzi
Site Admin


Joined: 27 Jul 2003
Last Visit: 21 May 2013
Posts: 10271
Location: sunny California
PostPosted: Wed Nov 16, 2005 7:51 pm    Post subject: New SDBot Internet worm variant can install rootkit Reply with quote
http://msmvps.com/harrywaldron/archive/2005/11/16/75773.aspx

A new version of the Sdbot Internet worm is circulating in the wild and it can install a rootkit.

http://vil.nai.com/vil/content/v_136981.htm

Symptoms
Quote:
When run, the bot installs itself into the %Windir% directory as NVIDEOGUI.EXE, for example:

C:\WINDOWS\NVIDEOGUI.EXE
System startup is hooked via the addition of of the following keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\nvideoGUI
ImagePath = "%Windir%\NVIDEOGUI.EXE"

An additional file is dropped (REMON.SYS - 7168 bytes) into the same %Windir%folder. This file is detected as FUROOTKIT since at least the 4599 DATS.

The worm appears to be Windows XP Service Pack 2 aware and makes several references to security features within the new Windows Security Center, such as:

• UpdatesDisableNotify
• AntiVirusDisableNotify
• FirewallDisableNotify

The following registry keys are modified:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OleEnableDCOM = "N"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\Lsa
restrictanonymous = "dword:00000001"
Security settings disabled by modifying the following regsitry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
UpdatesDisableNotify = "dword:00000001"
AntiVirusDisableNotify = "dword:00000001"
FirewallDisableNotify = "dword:00000001"
AntiVirusOverride = "dword:00000001"
FirewallOverride = "dword:00000001"
Windows Update disabled by modifying the following regsitry keys::

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\WindowsUpdate\
Auto Update
AUOptions = "dword:00000001"
Firewall policies disabled by modifying the following regsitry keys::

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\WindowsFirewall\DomainProfile
EnableFirewall = "dword:00000000"
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\WindowsFirewall\StandardProfile
EnableFirewall = "dword:00000000"
TaskManager and Regsitry Editor is disabled:

HKEY_USERS\.DEFAULT\Software\Microsoft\
Windows\CurrentVersion\Policies\System
DisableTaskMgr = "dword:00000001"
DisableRegistryTools = "dword:00000001"
Administrative shares are disabled :

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\lanmanserver\parameters
AutoShareWks = "dword:00000000"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\lanmanserver\parameters
AutoShareServer = "dword:00000000"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\lanmanworkstation\parameters
AutoShareWks = "dword:00000000"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\lanmanworkstation\parameters

_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn. Smile
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    Spyware Warrior Forum Index -> Virus, Worm &Trojan Alerts All times are GMT - 8 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



smartBlue Style © 2002 Smartor
Powered by phpBB © 2001, 2002 phpBB Group