Daily Archives: May 3, 2011

Some Old Virus Info

Posted on by

W32/Sdbot-CWM is a worm for the Windows platform.

W32/Sdbot-CWM runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

W32/Sdbot-CWM includes functionality to access the internet and communicate with a remote server via HTTP.

When first run W32/Sdbot-CWM copies itself to:

\alg.exe
\KaZaA\My Shared Folder\.exe

The file alg.exe is registered as a new system driver service named “Application Layer Gateway Services”, with a display name of “Application Layer Gateway Services” and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\Application Layer Gateway Services

Registry entries are set as follows:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SFCScan
0

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SFCDisable
ffffff9d

For the other Internet activity mentioned, I would need to know the ports used so I can confirm why/if they are needed.
Some ports need to be limited or blocked, such as example: ports 135/137-139/445/1900/5000

FILENAME: Alg.exe.
PROGRAM NAME: Application Layer Gateway.
DESCRIPTION: Part of Windows XP that provides support for ICS and Internet
Connection Firewall (ICF).
RECOMMENDED ACTION: If a third-party firewall warns you that ALG.exe wants
access, check to make sure you’re not double-firewalled. If you are, disable
ICF. If you are using neither ICF nor ICS and are warned that ALG.exe is
trying to access the Net, deny it. A Trojan horse or worm may be trying to
use it as a backdoor.

When first run Troj/Clown-A copies itself to \syscom832.exe and creates the file \serfer.ini. The Trojan then attempts to connect to a remote site to download information into serfer.ini.

The following registry entries are set, disabling the registry editor (regedit) and the Windows task manager (taskmgr):

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1

The following registry entry is set:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
userinit.exe,syscom832.exe

Troj/Clown-A may also create the following registry entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
winlogon
winlogon.exe