Type
: Worm
Category
: Win32
Also known as:
W32.IRCBot (Symantec), Worm.P2P.Krepper.c (Kaspersky), Win32/P2P.Sndc.Worm, W32/Pcbot.A@p2p (F-Secure), W32/Sndc.worm!p2p (McAfee)
Immediate Protection Info
| Signature | Product | Removal Instructions |
|---|
23.66.03
| eTrust Antivirus v7/8* (InoculateIT Engine)
| |
11.x/8492
| eTrust Antivirus v7/8* (Vet Engine)
| |
6.1x/5640
| eTrust EZ Antivirus 6.1x
| |
6.2x/8492
| eTrust EZ Antivirus 6.2x
| |
10.5x/5640
| Vet Anti-Virus 10.5x
| |
10.6x/8492
| Vet Anti-Virus 10.6x
| |
Description
Win32.Sndc.A is a worm that spreads via Peer-to-Peer file sharing networks. It also contains backdoor functionality that allows unauthorized access to an affected machine.
Back to top
Method of Infection
When executed, Sndc.A copies itself to %System%\sndcfg16.exe and modifies the registry to ensure that this copy is executed at each Windows start:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WinProfile = sndcfg16.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\WinProfile = sndcfg16.exe
Note: '%System%' is a variable location. The worm determines the location of the current System folder by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32.
After copying itself, it may also drop a batch file to %Temp%\<random name >.bat which deletes the originally executed file.
Back to top
Method of Distribution
Via P2P File Sharing
The worm creates two registry values:
HKLM\SOFTWARE\KAZAA\CloudLoad\ShareDir = %Windows%\Handles
HKLM\SOFTWARE\Kazaa\LocalContent\Dir = 012345:%Windows%\Handles
These are used to set the Kazaa shared directory to the above mentioned paths. The worm then obtains other shared folders if they exist:
- The Altnet shared folder via HKLM\SOFTWARE\Altnet\SharedFilesDir.
- The Morpheus shared folder by sampling HKLM\SOFTWARE\Morpheus\Install_Dir and changing to the sub-folder 'My Shared Folder' contained within.
- The iMesh shared folder via HKLM\SOFTWARE\iMesh\Client\DownloadsLocation
It then checks if the "\Program Files\eDonkey2000\incoming" folder exists.
Win32.Sndc.A then creates the directory %Windows%\Handles\ and copies itself to that directory. It also copies itself to all of the above mentioned directories and the following directories (if they exist):
\Program Files\LimeWire\Shared
\Program Files\eDonkey2000\incoming
The worm uses the following names to copy itself to the shared folders:
Ad-aware Pro Crack.exe
Adobe Acrobat Reader crack.exe
Adobe Golive v6.0 Keygen.exe
Adobe Illustrator v10.0 Time Limit Crack.exe
Adobe ImageReady v1.0 crack.exe
Adobe PageMaker v7.0 Keygen.exe
Adobe Photoshop 7 keygen.exe
Adobe Photoshop all.exe
Adobe Serial Generator v2.0.exe
Age of Empires II The Age of Kings NO CD crack.exe
Age Of Mythology - The Titans no cd crack.exe
Age Of Mythology no cd crack.exe
Alias Acclaim crack.exe
All Macromedia Products Keygen.exe
Anti-Trojan 4.0.exe
Avant Browser.exe
Backyard Baseball 2003 no cd crack.exe
Backyard Wrestling 2 - There Goes the Neighborhood Eidos Interactive crack.exe
Battlefield 1942 no cd crack.exe
Battlefield Vietnam EA Games crack.exe
Battlefield Vietnam Multiplayer Online Crack.exe
Besieger Strategy DreamCatcher Interactive crack.exe
Blinx 2 - Masters of Time & Space Microsoft crack.exe
Blitzkrieg - Burning Horizon Strategy CDV Software GmbH crack.exe
Call of Duty Activision crack.exe
Call Of Duty no cd crack.exe
City of Heroes Role-Playing NCsoft crack.exe
Civilization III crack.exe
Classic NES Series - The Legend of Zelda GBA Role-Playing Nintendo crack.exe
CloneDVD v1.x crack.exe
Command & Conquer - Generals no cd crack.exe
Command & Conquer - Generals Zero Hour no cd crack.exe
Command & Conquer - Generals Zero Hour Strategy EA Games crack.exe
Counter-Strike Condition Zero Keygen.exe
Credit card generator.exe
Crusader Kings Strategy Paradox Entertainment crack.exe
Cubase Audio XT 3.X crack.exe
Dark Age Of Camelot - Trials Of Atlantis no cd crack.exe
Dark Matter - The Baryon Proj crack.exe
Deus Ex Invisible War NO CD Crack.exe
Diablo 2 no cd crack.exe
Diablo 2 NO CD crack.exe
DivX Player and Codec.exe
Doom 3 Activision crack.exe
Doom 3 NO CD Crack.exe
Download Accelerator Plus (spyware free).exe
Dragon Ball Z - Budokai 3 Atari crack.exe
Dragon Ball Z - Supersonic Warriors GBA Atari crack.exe
Dragon Warrior VIII Role-Playing Square Enix crack.exe
DRIV3R Atari crack.exe
Dungeon Lords Role-Playing DreamCatcher Interactive crack.exe
Dungeon Siege no cd crack.exe
Enter the Matrix Atari crack.exe
ESPN NFL 2K5 Sega crack.exe
F.E.A.R. VU Games crack.exe
Fable Role-Playing Microsoft crack.exe
Far Cry Ubisoft crack.exe
Final Fantasy VII - Advent Children PSP Role-Playing Square Enix crack.exe
Final Fantasy XI - Square Enix USA no cd crack.exe
Final Fantasy XII Role-Playing Square Enix crack.exe
Fire Emblem - Seima no Kouseki GBA Role-Playing Nintendo crack.exe
FlashFXP 2 RC2 Crack.exe
FlashFXP v1.4.1 Crack.exe
FlashFXP v1.4.3 Crack.exe
FlashFXP v2.0 Crack.exe
FlashFXP v2.1 crack.exe
FlashFXP v2.2 crack.exe
FlashGet.exe
Forgotten Realms - Demon Stone Atari crack.exe
Forgotten Realms - Demon Stone crack.exe
Freedom Force no cd crack.exe
Front Mission 4 Strategy Square Enix crack.exe
Full Spectrum Warrior Strategy THQ crack.exe
Geist GC Nintendo crack.exe
Goblin Commander - Unleash the Horde Strategy Jaleco Entertainment crack.exe
Gran Turismo 4 SCEA crack.exe
Grand Theft Auto - San Andreas Rockstar Games crack.exe
Grand Theft Auto 3 no cd crack.exe
Grand Theft Auto III no cd crack.exe
Grand Theft Auto San Andreas NO CD crack.exe
Grand Theft Auto Vice City NO CD crack.exe
GTA crack.exe
Half-Life 2 Keygen.exe
Half-Life 2 NO CD Crack.exe
Half-Life 2 VU Games crack.exe
Halo - Combat Evolved - Microsoft no cd crack.exe
Halo 2 crack.exe
Harry Potter & The Sorcerers Stone no cd crack.exe
Harry Potter and the Prisoner of Azkaban Adventure EA Games crack.exe
Harry Potter and the Sorcerers Stone no cd crack.exe
Heroes of Might & Magic IV no cd crack.exe
Hidden & Dangerous 2 NO CD Crack.exe
Icewind Dale 2 no cd crack.exe
ICQ 4.exe
ICQ Pro 2003b.exe
iMesh patch.exe
Jedi Academy NO CD Crack.exe
Joint Operations - Typhoon Rising NovaLogic crack.exe
Juiced Acclaim crack.exe
Kingdom Hearts II Role-Playing Square Enix crack.exe
Knights Apprentice Memoricks Adventures Games crack.exe
LimeWire server scanner.exe
Macromedia ColdFusion MX crack.exe
Macromedia Contribute v2.0 crack.exe
Macromedia Director 8 Crack.exe
Macromedia Dreamweaver 4.0 Patch.exe
Macromedia Dreamweaver MX v6.0 crack.exe
Macromedia Dreamweaver UltraDev 4.0 Patch.exe
Macromedia Fireworks 4.0 Patch.exe
Macromedia Flash All Versions keygen.exe
Macromedia Flash MX v6.0 crack.exe
Macromedia Flash SWF-Unprotect v2.0.exe
Macromedia FreeHand v10 Loader.exe
Madden NFL 2003 no cd crack.exe
Madden NFL 2005 EA crack.exe
Mafia no cd crack.exe
Malice Mud Duck Productions crack.exe
Mario Pinball Land GBA Puzzle Nintendo crack.exe
Mario Tennis GC Nintendo crack.exe
Matrix Screensaver.exe
Max Payne 2 Fall Of Max Payne no cd crack.exe
Max Payne 2 NO CD Crack.exe
Max Payne 2 The Fall of Max Payne NO CD crack.exe
MaxPayne 2 The Fall Of Max Payne Crack.exe
McFarlanes Evil Prophecy Konami crack.exe
Medal Of Honor - Allied Assault no cd crack.exe
Medal Of Honor - Allied Assault BreakThrough no cd crack.exe
Medal Of Honor - Allied Assault no cd crack.exe
Medal of Honor Pacific Assault EA Games crack.exe
Medal of Honor- Allied Assault no cd crack.exe
Medieval - Total War no cd crack.exe
Mega Man Anniversary Collection GC Capcom crack.exe
Metal Gear Acid PSP Strategy Konami crack.exe
Metal Gear Solid 3 - Snake Eater Konami crack.exe
Microsoft Flight Simulator 2004 - A Century Of Flight no cd crack.exe
Microsoft Office 2000 Regmaker.exe
Microsoft Office XP Activation Crack.exe
Microsoft Office XP Activation Killer.exe
Microsoft Office XP Professional Crack.exe
Microsoft Office XP Professional Serial.exe
Microsoft Office XP Universal Activator v1.0.exe
Midnight Club 3 - DUB Edition Rockstar Games crack.exe
mirc 6.1x reg entries.exe
mIRC 6.X crack.exe
Morpheus patch.exe
MS Office XP Activation Crack.exe
MS Zoo Tycoon no cd crack.exe
MSN advert remover.exe
MSN Toolbar advert remover.exe
MVP Baseball 2004 EA crack.exe
NBA Live 2003 crack.exe
NBA Live 2004 crack.exe
NCAA Football 2005 EA crack.exe
Need For Speed 5 - no cd.exe
Need for Speed Hot Pursuit 2 CD KeyGenerator.exe
Need for speed underground - nocd.exe
Need for Speed Underground 2 crack.exe
Need for Speed Underground 2 Electronic Arts crack.exe
Need for Speed Underground 2 NO CD crack.exe
Need for Speed Underground NO CD crack.exe
Need for Speed4 - NOCD.exe
NeedforspeedUnderground-nocd.exe
Nero Burning ROM v6.x crack.exe
Ninja Gaiden Tecmo crack.exe
Norton AntiVirus 2004 crack.exe
Onimusha 3 - Demon Siege Adventure Capcom crack.exe
Psi-Ops - The Mindgate Conspiracy Midway crack.exe
Purge Jihad Freeform Interactive LLC crack.exe
RealPlayer crack (keygen).exe
Red Dead Revolver Rockstar Games crack.exe
Resident Evil 4 GC Adventure Capcom crack.exe
Rise of Nations - Thrones & Patriots Strategy Microsoft crack.exe
RoboForm crack.exe
Roller Coaster Tycoon no cd crack.exe
RYL crack.exe
Second Life Role-Playing Linden Lab crack.exe
Shadow Ops - Red Mercury Atari crack.exe
ShellShock - Nam 67 Eidos Interactive crack.exe
Silent Storm - Sentinels Strategy _No Company crack.exe
Sim City 4 - Rush Hour no cd crack.exe
Sim City 4 Deluxe no cd crack.exe
Sim Theme Park World no cd crack.exe
Singles - Flirt Up Your Life Strategy Eidos Interactive crack.exe
Snood crack.exe
Snowblind Eidos Interactive crack.exe
Soldier of Fortune II- Double Helix no cd crack.exe
SolSuite 2004 - Solitaire Card Games Suite crack.exe
Sonic the Hedgehog 3 crack.exe
Spider-Man 2 Activision crack.exe
Spider-Man 2 GC Activision crack.exe
Sponge Bob Square Pants - Operation Krabby Patty no cd crack.exe
Spybot Search and Destroy.exe
Star Wars - Jedi Knight - Jedi Academy no cd crack.exe
Star Wars - Knights of the Old Republic Role-Playing LucasArts crack.exe
Star Wars Galactic Battlegrounds- Clone Campaigns no cd crack.exe
Star Wars Jedi Knight II - Jedi Outcast no cd crack.exe
Star Wars Jedi Knight II- Jedi Outcast no cd crack.exe
Star Wars Knights of the Old Republic II - The Sith Lords Role-Playing LucasArts crack.exe
Starcraft - Battlechest no cd crack.exe
The Chronicles of Riddick - Escape From Butcher Bay VU Games crack.exe
The Elder Scrolls III - Morrowind Game of the Year Edition Role-Playing Bethesda Softworks crack.exe
The Legend of Zelda (working title) GC Nintendo crack.exe
The Legend of Zelda - Four Swords Adventures GC Nintendo crack.exe
The Legend of Zelda - The Minish Cap GBA Nintendo crack.exe
The Lord of the Rings The Battle for Middle-earth Strategy EA Games crack.exe
The Lord of the Rings The Return of The King crack.exe
The Sims no cd crack.exe
The Sims - Hot Date Expansion Pack no cd crack.exe
The Sims - Makin Magic Expansion Pack no cd crack.exe
The Sims - Superstar Expansion Pack no cd crack.exe
The Sims - Unleashed Expansion Pack no cd crack.exe
The Sims - Vacation Expansion Pack no cd crack.exe
The Sims - Hot Date Expansion Pack no cd crack.exe
The Sims - Vacation Expansion Pack no cd crack.exe
The Sims 2 crack.exe
The Sims Deluxe no cd crack.exe
The Sims Deluxe no cd crack.exe
The Sims Double Deluxe no cd crack.exe
The Sims no cd crack.exe
The Sims- Vacation no cd crack.exe
The Suffering Encore Software Inc. crack.exe
The Suffering Midway crack.exe
Thief - Deadly Shadows Eidos Interactive crack.exe
Tiger Woods PGA Tour 2004 crack.exe
Tom Clancy's Splinter Cell Pandora Tomorrow crack.exe
Tom Clancys Ghost Recon - Desert Siege no cd crack.exe
Tom Clancys Splinter Cell Pandora Tomorrow Ubisoft crack.exe
Tom Clancys Splinter Cell Ubisoft crack.exe
Tony Hawks Underground crack.exe
Trillian crasher.exe
Unreal Tournament 2003 no cd crack.exe
Unreal Tournament 2004 Atari crack.exe
Unreal Tournament 2004 crack (keygen).exe
Unreal Tournament 2004 NO CD crack.exe
Vampire - The Masquerade - Bloodlines Role-Playing Activision crack.exe
VirtualLab Data Recovery crack.exe
Warcraft III - Reign Of Chaos no cd crack.exe
Warez P2P.exe
Webroot Spy Sweeper.exe
windows server 2003 crack.exe
Windows XP Activation Crack.exe
Windows XP home edition Activation.exe
Windows XP Professional crack.exe
WinRAR crack (keygen).exe
WinZip All Versions keygen.exe
Winzip keygen.exe
WinZip Self-Extractor v2.2 keygen.exe
WinZip Self-Extractor v2.2 Patch.exe
WinZip v8.0 Keygen.exe
WinZip v8.x - v9.x patch.exe
WinZIP v9.0 Keygen.exe
WinZip v9.0 Registration.exe
World of Warcraft Role-Playing Blizzard Entertainment crack.exe
Worms Armageddon NO CD crack.exe
WWE Day of Reckoning GC THQ crack.exe
WWE SmackDown! vs. Raw THQ crack.exe
XBOX X-Fer Ripper and Transfer.exe
Yoshinoya Success crack.exe
ZoneAlarm crack (keygen).exe
Zoo Tycoon - Complete Collection no cd crack.exe
Zoo Tycoon no cd crack.exe
Zoo Tycoon- Dinosaur Digs no cd crack.exe
The worm also searches all logical drives on the system for directories with any of the names share, download, music or mp3. It copies itself to these directories using the names mentioned above.
Back to top
Payload
Backdoor Functionality
The worm has the ability to connect to an IRC channel on the m00p.org domain in order to receive the following commands:
- Connect to a URL to download and execute from %Windows%\ms<random letters>exe
- Uninstall itself
Modifies System Settings
Win32.Sndc.A sets the following registry values to facilitate spreading:
HKCU\Software\Kazaa\Advanced\SuperNode = 0
HKCU\Software\Kazaa\LocalContent\DisableSharing = 0
HKCU\Software\Kazaa\ResultsFilter\virus_filter = 0
HKCU\Software\Kazaa\ResultsFilter\firewall_filter = 0
HKCU\Software\Kazaa\Transfer\UploadBandwidth = 0
HKCU\Software\Kazaa\LimitBitrate = 0
HKCU\Software\Kazaa\Transfer\NoUploadLimitWhenIdle = 1
HKCU\Software\Kazaa\Transfer\ConcurrentUploads
HKCU\Software\Kazaa\Advanced\ScanFolder = 0
HKCU\Software\Kazaa\DontShow\CloseToSystray = 1
HKCU\Software\Kazaa\InstantMessaging\IgnoreAll = 1
HKCU\Software\Kazaa\LocalContent\DisableListFiles = 1
HKCU\Software\Kazaa\UserDetails\AutoConnected = 1
Back to top
For additional information:
It has been determined by our researchers that the worm is unstable and prone to crashing.
The worm may also display a fake message as pictured below:
Analysis by Matthew McCormack
Back to top