My Worm is Bigger Than Yours

To give others further information on this sdbot.worm (continuing from my
previous post here
are the main characteristics I've found on almost all variants I've come
across. Obviously it seems to be a polymorphic form of worm meaning its
characteristics are changing. Before I begin though I would hope no one
would think its off topic since there may be one variant of this worm
flooding your network with randomly generated MAC addresses, not good on
those switches. Also I wouldn't think it's off topic since most of you are
likely already seeing, or will be seeing more traffic generated on ports
445, 80, and 82.

There seems to be one main executable, but I haven't found out which one
this is. The names I've come across so far for most of the executables are
somewhat synomous with standard Windows programs.

Microsoft program Worm's program
serv.exe serv32.exe
services.exe services32.exe
lsass.exe lsass32.exe

The following is a list of the names of the executables I've come across
which meet the criteria of this annoyance.


Other programs have garbled names e.g., wetyr.exe, oiure.exe

These programs typically tend to reside in:

Along with the usual MSIE cache folder.

The programs have been appearing in Windows' registry as follows:


Easiest thing to sort of do is ctrl-f for the names and you will usually
seem them bundled, but if you have to remove it, you want to search for
each individually since some mix things up.

Name Data
Setver32.exe Windows Secure
Regserv32.exe Reg Service
Mswinc.exe Remote Procedure Calls
Mswinc32.exe Remote Procedure Calls
Systemiom.exe System Updater

Others have no Data associated with them.

Now the I haven't managed to zero in on which is sending our random MAC
addresses yet but eventually I will try maybe an antivirus company can do
so before me. So let me explain a few quick oddities I've seen so far .
Get a complain student is not connected, go to dorm, repunch his port, no
dice, open the closet no dice. What was happening with his machine was his
connection would come up, then go down the second it came up, then come
right back up the second it went down. Same happened with a colleague
Bizarre, bizarre.

Another student "I can't get my Interweb" . Same thing repunch her,
repatch her machine with the latest "Microsoft Fixitall Service Pack
7354738245" still no dice. Run through reinstalling drivers, swapping
Ethernet cards, nothing. Redid some tweaks and she gets connected. Second
she did get connected. "IP ADDRESS CONFLICT WITH FOO MAC"
Only thing was after searching the network no MAC addresses with the
number it was posting existed.

This particular issue with the MAC "spoofing" if you want to call it that,
I prefer random MAC generation, was being flooded out through ports 80,
and 82. So what will happen if some worm has the characteristics built in
to generate MAC's when it tries to send out your router's or servers MAC
address? You do the math. (NOTE: Still looking into this port 80 82 issue
so could be a false alarm but nevertheless I've come across some odd
things this past week which I'd never seen.)

Most of the worms that open the port 445 connections, tend to open up
hundreds if not thousands of requests more than likely to infected
machines. After the first few occurrences I came across, I would see a
machine pop open a few hundred connections after seconds of their machine
obtaining an address. The first thing I would notice via netstats would be
some form of IRC connection going out, so the possibilities would be
either a DdoS slave, or it's sending information somewhere.

Bling is supposedly set to send "ALL_THINGS_RELATED_TO_LOGINS" as well as
Paypal information to some server, if it is sending information I can't
find where it would be storing it. Keep in mind the prior code I was able
to find regarding this annoyance where it modified antivirus software to
either kill it, or to avoid detection, as well as kill your ability to use
regedit, taskmgr, and other tools. There is the possibility it is storing
something somewhere, I haven't come across it yet.

Finally (I think) the ftpd.exe which always seems to piggyback with the
others, this little piggie more than likely may be the one turning the
infected machine to a TFTP server whereby other infected machines ensure
they stay infected. This seems to create a file called bla.txt

This text file lists the following:

Open 13501
User blah
Pass blah
Get bot.exe

Bot.exe I'm gonna assume is probably an ircbot of sorts, unfortunately I
cannot find this program anywhere, but the infected machine does connect
to irc, it does open a TFTP server, and will attempt to connect to
hundreds if not thousands of ports via 445. Most machines may have gotten
infected via file sharing, Limewire, Kazaa, KazaaLite, BitTorrent, etc.,
along with probably viewing some porn related page since I've also come
across dialer.exe's here and there.

Sorry for the long mail, and apologies if it seems offtopic to some but
remember, someone down the line is paying for this traffic. Let's hope it
doesn't becomes an epidemic like Microsoft itself.

At least you'd of been forewarned of some of the characteristics you're
likely to see.

I've managed to get more information should anyone care to take peek at
what one machine I ran into had. Quickie (ugly) write up/dissection
includes two irclogs stored on the infected machine, parsed infected
machine IP addresses (good to check if your network is spewing worm/virus
traffic), and to get an overall assessment of this annoyance. Cross posted
this to UNISog