Sdbot.EPZ

SDBOT.EPZ gusano/backdoor de HTTP redes con recursos compartidos IRC y vulnerabilidades del sistema.

W32/Sdbot.EPZ

Sdbot.EPZ es un destructivo gusano/backdoor residente en memoria reportado el 07 de Mayo del 2007, que se propaga a través de páginas web infectadas, redes con recursos compartidos configuradas con contraseñas débiles y del IRC (Internet Chat Relay).

Explota además las vulnerabilidades del desbordamiento del buffer del RPC, el RPCSS y del servicio de Estaciones de Trabajo.

Es un PE (Portable Ejecutable) e infecta Windows 98/NT/Me/2000/XP y Server 2003, está desarrollado en MS Visual C++ con una extensión de 1,356 KB

Ingresado al sistema se copia a la carpeta %System% con un nombre aleatorio, con extensión .EXE con los atributos de "oculto", "system" y "solo de lectura" y para activarse la siguiente vez que se inicie el sistema crea las siguientes llaves de registro:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Microsoft update" = "%System%\[archivo_aleatorio].exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ]
"Microsoft update" = "%System%\[archivo_aleatorio].exe"

[HKEY_CURRENT_USER\Software\Microsoft\OLE]
"Microsoft update" = "%System%\[archivo_aleatorio].exe"

para deshabilitar la administración de recursos compartidos crea la sub-llave:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]
"AutoShareWks" = "0"

para deshabilitar el Windows Security Center crea la sub-llave:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc]
"Start" = "4"

para deshabilitar el DCOM crea la sub-llave:

[HKEY_LOCAL_MACHINE\Software\Microsoft\OLE]
"EnableDCOM" = "N"

para restringir el acceso anónimo crea la sub-llave:

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA]
"RestrictAnonymous" = "1"

%System% es la variable C:\Windows\System para Windows 95/98/Me, C:\Winnt\System32 para Windows NT/2000 y C:\Windows\System32 para Windows XP y Windows Server 2003.

Al siguiente re-inicio del equipo, el gusano rastrea direcciones de redes con recursos compartidos configuradas con contraseñas débiles e intenta ingresar a las siguientes carpetas:

C$\Windows\system32
C$\WINNT\system32
ADMIN$\system32
ADMIN$
%s\IPC$

para lo cual usa una lista compilada en su código, que contiene los siguientes nombres y contraseñas:

0wn3d
0wned
111111
11111111
121212
123123
12345
123456
1234567
12345678
123456789
1234qwer
123abc
123asd
123qwe
54321
654321
88888888
abc123
academia
academic
ACCESS
account
action
ADMIN
admin123
administrador
administrat
administrateur
ADMINISTRATOR
admins
adrian
adrianna
adult
aerobics
airplane
alaska
albany
albatros
albatross
albert
alert
alexande
Alexander
algebra
alias
aliases
alice
alicia
alisa
alison
allison
allow
alpha
alphabet
amadeus
amanda
amber
america
amorphou
amorphous
analog
anarchis
anarchy
anchor
andrea
android
andromac
andromache
angela
angerine
angie
animal
animals
anita
annette
anonymou
answer
anthrax
anthropo
anthropogenic
anvils
anything
apollo13
april
ariadne
arlene
arrow
arthur
artist
asian
asshole
athena
atmosphe
atmosphere
attack
authoriz
aztecs
azure
bacchus
backdoor
BACKUP
badass
bailey
banana
bananas
bandit
banks
barbara
barber
baritone
bartman
baseball
basic
bassoon
batch
batman
beach
beammeup
beast
beater
beauty
beaver
becky
beethove
beethoven
begin
behead
beloved
beowulf
berkeley
berlin
berliner
beryl
betsie
betty
beverly
bible
bicamera
bicameral
bigfoot
billy
binary
bishop
bitch
bitmap
bitnet
black
blonde
blondie
blood
bloodaxe
blowjob
blues
board
boner
boobs
boyscout
bradley
brandi
brandy
bravo
break
breast
brenda
brian
bridget
broadway
brothel
brunette
brute
brutefor
bulls
bullshit
bumbling
burgess
butch
butthead
californ
camille
campanil
campanile
camping
candi
candy
cantor
captain
capture
cardinal
caren
carla
carmen
carol
carole
carolina
caroline
carrie
carson
cascades
castle
catherin
catherine
catholic
cathy
cayuga
cecily
celtic
celtics
cerulean
change
changeme
charity
charles
charlie
charming
charon
chemistr
chemistry
chess
chester
chris
christin
christina
christine
christy
cigar
cigarett
cindy
class
classes
classic
claudia
claymore
cleavage
clinton
cluster
clusters
coast
cocacola
cocainco
codename
codeword
coffee
collins
color
combat
comics
commit
commrade
commrades
company
computer
computin
comrade
comrades
condo
condom
connie
conserva
console
continue
cookbook
cookie
cooper
copper
corneliu
cornelius
correct
counters
country
couscous
cowboy
crack
crackpot
crash
cream
create
creation
creature
credit
creosote
cretin
crime
criminal
cristina
crystal
cshrc
customer
cyber
cyberpun
cyberspa
cynthia
daemon
daisy
dancer
daniel
danielle
danny
dapper
darkaven
database
death
deathsta
debbie
deborah
debug
december
default
defoe
delta
deluge
democrat
denise
dennis
desiree
desktop
desperat
desperate
develop
device
devil
diamond
diana
diane
diehard
dieter
digital
dinosaur
dipshit
direct
director
dirty
discipli
disclose
discover
discovery
diskette
disney
display
doctor
dollar
donaldduck
doom2
doomii
doomsday
doonesbu
doors
download
dragon
drdoom
drive
drought
dudette
duelist
dulce
duncan
dungeon
eager
eagle
earth
easier
eatme
eddie
edges
edinburg
edinburgh
edition
educatio
education
edwin
edwina
egghead
eiderdow
eiderdown
eileen
einsiein
einstein
elaine
elanor
electron
elephant
elizabet
elizabeth
ellen
email
emerald
emily
emmanuel
enable
enemy
engine
engineer
england
english
enter
enterpri
enterprise
enzyme
erenity
erica
erika
erotic
ersatz
establis
establish
estate
eternity
euclid
evelyn
expert
explode
explore
explorer
explosiv
extensio
extension
fairway
faith
falcon
false
family
farad
faraday
felicia
fender
fermat
ferrari
fidelity
field
fight
FILES
finite
firewall
fishers
flakes
float
florida
flower
flowers
foobar
foolproo
foolproof
football
force
foresigh
foresight
forever
format
fornicat
forsythe
fourier
foxtrot
france
frank
freak
freedom
french
friday
friend
friends
frighten
fryguy
fubar
fucked
fucker
fucking
fuckme
fuckyou
fudge
function
fungible
gabriel
games
gardner
garfield
gateway
gatherin
gauss
george
gertrude
ghost
gibson
gigabyte
ginger
glacier
godblessyou
golden
golfer
gorgeous
gorges
gosling
gouge
govermen
grades
graham
grahm
grand
grant
great
green
group
gryphon
guardian
gucci
guess
guessme
guest
guitar
gumption
guntis
h4x0r1ng
h4x0ring
h4x1ng
hacked
hacker
hagar
hallowee
hamlet
hamster
handel
handily
handjob
happenin
happening
hardcore
harddriv
harmony
harold
harvey
haven
hawaii
hax0r
haxing
headbang
heathen
heather
heaven
hebrides
heidi
heinlein
hello
herbert
heroin
hewlett
hexadeci
hiawatha
hibernia
hidden
highland
hitler
holly
hollywoo
homepage
homer
homework
honey
hooker
hooters
horny
horrible
horror
horse
horus
hotdog
hotel
hunter
hutchins
hydrogen
hyper
hypertxt
icecream
ihavenopass
illumina
image
imbrogli
imbroglio
immortal
imperial
include
india
indian
indiana
indians
ingres
ingress
ingrid
innocuou
innocuous
input
inside
integer
Internet
invent
irene
irishman
irule
jackie
janet
janice
janie
japan
jasmin
jeanne
jenni
jennifer
jenny
jerry
jerusale
jessica
jester
jewelry
jixian
joanne
johndoe
johnny
joseph
joshua
journal
joyce
judith
juggle
juicy
julia
julie
juliet
jupiter
karen
karie
karina
katana
kathleen
kathrine
kathy
katina
katrina
kelly
kermit
kernel
kerri
kerrie
kerry
kevin
keybord
keyin
keyword
kiddie
killer
killthem
kimberly
kirkland
kissmyas
kitten
klingon
knife
knight
knightma
known
krista
kristen
kristi
kristie
kristin
kristine
kristy
ladeda
ladies
ladle
lakers
lambda
laminati
lamination
laptop
larkin
larry
laser
laura
lazarus
lazer
lebesgue
leftwing
legal
leland
leroy
lesbian
leslie
letmein
lewis
lexluthe
liberal
library
licker
light
lightsab
limbaugh
limited
linda
linux
literatu
LOCAL
lockout
lockword
logic
login
loginwor
logout
lolopc
loose
lorin
lorraine
loser
louis
lovebug
lover
lucus
lynne
machine
macintos
macintosh
macro
maggot
magic
magnet
maint
malcolm
malcom
manager
marci
marcy
maria
mariens
marietta
marijuan
marines
markus
marni
marriage
marty
marvin
mason
master
Matthew
maurice
meagan
megabyte
megadeth
megan
melissa
mellon
melrose
member
memory
menace
mercury
merlin
metal
metalhea
metalica
michael
michel
michelan
michele
michelle
mickey
micro
microchi
micropro
microsof
midieval
minimum
minsky
misfit
mission
modem
mogul
moguls
monday
monica
moose
morley
morris
mortal
mortalco
mortgage
mosaic
mountain
mouse
movie
movies
mozart
msdos
muppets
mutant
mypass
mypass123
mypc123
nagel
nancy
napoleon
nepenthe
neptune
net-devil
netdevil
netfuck
netscape
network
newborn
newsgrou
newton
newyork
nicole
nicotine
night
nightmar
Nilez
nintendo
nnaacp
noble
nobody
noreen
notes
novel
november
noxious
nuclear
nukem
number
nutritio
nutrition
nyquist
obscurit
oceanogr
oceanography
ocelot
office
oldage
olivetti
olivia
omega
opening
openlock
opensesa
operator
oracle
orient
orwell
oscar
osiris
outdoors
outlaw
output
outside
owned
owner
oxford
pacific
packard
packer
painless
paint
pakistan
pamela
paper
papers
pascal
passphra
passwd
PASSWORD
paste
patricia
patrick
patriot
patty
paula
peanuts
pecker
pencil
penelope
penguin
penis
penname
pentagon
pentagra
penthous
pentium
peoria
pepper
pepsi
percolat
percolate
perfect
permit
persimmo
persimmon
persona
pervert
peter
philip
phoenix
phone
photon
phrack
phrase
phreak
phuck
pierre
pinname
pizza
plane
playboy
plover
pluto
plymouth
poetry
police
polly
polynomi
polynomial
ponderin
pondering
porno
porsche
poster
power
praise
precious
prelude
presto
prince
princeto
princeton
printer
private
privs
proceed
processo
professo
professor
profile
program
prompt
protect
protozoa
psycho
psychopa
public
pumpkin
puneet
punisher
puppet
pussy
pw123
quebec
qwert
qwerty
rabbit
rachel
rachelle
rachmani
rachmaninoff
rainbow
raindrop
raleigh
random
rascal
razor
reagan
reality
really
reaper
rebal
rebecca
rebel
record
reddawn
redhead
referenc
regional
release
remote
renee
report
republic
resistan
reveal
rhino
riffraff
right
rightwin
ripple
roach
robert
robin
robot
robotics
robyn
rochelle
rocheste
rochester
rocky
rockyhor
rodent
rolex
romano
romeo
romulan
ronald
Rosco
RoscoP
RoscoPColtrane
rosebud
rosemary
roses
rough
rubber
ruben
rules
running
salami
samantha
sample
sandra
sandy
sarah
satan
satanic
satanik
saturday
saturn
saxon
scamper
scheme
school
schoolsucks
scifi
scorpion
scott
scotty
scout
script
scriptkiddie
search
secret
security
sensor
sentinel
sentry
serenity
serial
SERVER
service
sesame
shannon
sharc
SHARE
shark
sharks
sharon
sheffiel
sheffield
sheldon
shell
sherri
shift
shirley
shitpot
shiva
shivers
short
shuttle
sierra
signatur
signature
silver
simcity
simon
simple
simpsons
simulati
singer
single
skull
slave
slick
sliders
small
smart
smile
smiles
smooch
smother
snach
snafu
snake
snatch
snoopy
social
socrates
sodomy
software
somebody
sondra
sonia
sonic
sonya
sossina
source
south
spaceman
spaceshi
sparrows
spear
spell
spice
spider
spiderma
spred
spring
springer
spunk
squires
stacey
staci
stacie
stacy
staff
starship
start
startrek
startup
starwars
steak
steal
steel
steph
stephani
stephanie
stereo
steve
stoneage
stoned
stones
strange
strangle
stratfor
stratford
streetfi
string
strip
student
stuttgar
stuttgart
subscrib
subway
success
suckmydi
sucks
summer
sunday
super
superman
superson
supersta
superstage
superuse
superuser
supervis
support
supporte
supported
surfer
surfing
susan
susanne
susie
suzanne
suzie
swearer
sweat
switch
sword
sybase
sybil
symmetry
sysadmin
sysop
SYSTEM
tabasco
tamara
tamie
tammy
tangerin
tangerine
tango
target
tarragon
taylor
teacher
teapot
tears
teenage
telephon
telephone
telnet
temp123
temptati
temptation
tennis
terminal
terminat
test123
tester
testin
testing
tetris
thailand
theresa
thursday
tiffany
tiger
toggle
token
tokenrin
tomato
topograp
topography
tortoise
toxic
toyota
traci
tracie
tracy
trails
transfer
trapdoor
trisha
trivial
trojan
trombone
truth
tubas
tuesday
tuttle
umesh
uncle
unhappy
unicorn
uniform
universa
universe
universi
unknown
unlock
upload
uranus
urchin
ursula
usenet
usermane
username
utility
uwontguessme
vagina
valerie
vampire
vasant
venus
veronica
vertigo
vicky
victor
video
videogam
village
virgin
virginia
virus
visitor
visual
visualba
vodka
warez
warfare
wargames
warren
watchwor
water
webpage
wednesda
weenie
wendi
wendy
werewolf
western
wh0r3
wh0re
whatever
whatnot
whisky
white
whiting
whitney
wholesal
wholesale
whore
wileecoyote
william
williams
williamsburg
willie
wilma
windose
windows
windows2k
windows95
windows98
windowsME
WindowsXP
windowz
windoze
windoze2k
windoze95
windoze98
windozeME
windozexp
winston
wired
wisconsi
wisconsin
wiseass
within
wizard
wolverin
woman
wombat
women
woodwind
wordperf
wormwood
WRITE
wwwadmin
wyoming
xmodem
xyzzy
yankee
yellow
yellowst
yellowstone
yolanda
yosemite
young
youwontguessme
zebra
zeitgeis
ziggy
zimmerma
zimmerman
zmodem
zombie

Actuando como Backdoor usa un puerto TCP aleatorio disponible y se conecta a un canal del IRC (Internet Chat Relay) desde el cual recibirá instrucciones, pudiendo ejecutar las siguientes acciones:

Descargar y ejecutar archivos con códigos arbitrarios
Ejecutar comandos remotos ocultos
Agregar o borrar recursos compartidos
Saturar el cache del DNS
Capturar y enviar una información completa del sistema y de la red
Capturar el Login (ingreso) y contraseña del sistema
Ejecutar un ataque DoS por los métodos PING, SYN y ICMP.
Removerse a sí mismo
Rastrear puertos

Los parches para las vulnerabilidades mencionadas pueden ser descragados desde:

PER ANTIVIRUS® versión 10.1 con registro de virus al 07 de Mayo del 2007 detecta y elimina eficientemente este gusano/backdoor.