Virus Detail

Win32.Seenbot.O

Date Published:
23 Mar 2005

Last Updated:
24 Mar 2005

Threat Assessment

Overall Risk: Low

Wild: Low

Destructiveness: Medium

Pervasiveness: Medium

Characteristics

Type : Worm

Category : Win32

Also known as: WORM_RBOT.ATK (Trend), W32/Sdbot.worm.gen.g (McAfee), Win32/Seenbot.O!Worm, Backdoor.Win32.Rbot.gen (Kaspersky)

Immediate Protection Info

Signature	Product	Removal Instructions
23.68.66	eTrust Antivirus v7/8* (InoculateIT Engine)	View
11.x/9008	eTrust Antivirus v7/8* (Vet Engine)	View
6.1x/6140	eTrust EZ Antivirus 6.1x	View
6.2x/9008	eTrust EZ Antivirus 6.2x	View
6.3x/9008	eTrust EZ Antivirus 6.3x	View
6.4x/9008	eTrust EZ Antivirus 6.4x	View
7.x/9008	eTrust EZ Antivirus 7.x	View
10.6x/9008	Vet Anti-Virus 10.6x	View

Tools

Signature file information

Scan for viruses

Submit a Virus Sample

Description

Method of Infection

Method of Distribution

Payload

Description

Win32.Seenbot.O is a worm that spreads via poorly protected network shares and by attempting to exploit several Windows vulnerabilities. It also provides for unauthorized access and control of the affected machine via IRC.

Method of Infection

When executed, Seenbot.O copies itself to %System%\Anti.exe and drops a driver as %System%\system32\msdirectx.sys. It may also create a second copy of the driver in <root drive>\Documents and Settings\<username>\msdirectx.sys

Note: This driver is detected as Win32.Efewe.B. Please see elsewhere in our encyclopedia for an analysis of Efewe.B.

Seenbot.O sets the following registry values:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Virus = "Anti.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Virus = "Anti.exe"
HKLM\Software\Microsoft\OLE\Virus = "Anti.exe"
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Virus = "Anti.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Virus = "Anti.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices\Virus = "Anti.exe"
HKCU\Software\Microsoft\OLE\Virus = "Anti.exe"
HKCU\SYSTEM\CurrentControlSet\Control\Lsa\Virus = "Anti.exe"

Seenbot.O creates a thread that maintains these registry keys if the user tries to alter them.

Seenbot.O also creates the mutex "SDNB1.4beta" to avoid running multiple copies of itself.

Method of Distribution

Seenbot.O is able to spread in a number of different ways. Propagation is launched manually through backdoor control (see below Payload - Backdoor Functionality for further detail).

Each spreading method begins with scanning for target machines. The worm can generate random values for all or part of each IP address it targets. Each attack vector is associated with a particular TCP port.

Via Network Shares (TCP ports 139 and 445)

Seenbot.O can infect remote machines through Windows file sharing. It tries to connect to the Windows share:

\\<target>\ipc$

Where <target> is the name of the machine it is trying to infect.

If this connection is not successful, it gives up on this machine. If the connection succeeds, it then attempts to retrieve a list of user names on the target, then uses these user names combined with passwords listed to attempt to gain access to the target system. If it cannot retrieve the list of user names, it uses the password list that it carries within itself as usernames.

(null)
administrator
administrador
administrateur
administrat
admins
admin
adm
password1
password
passwd
pass1234
pass
pwd
007
123
1234
12345
123456
1234567
12345678
123456789
1234567890
2000
2001
2002
2003
2004
test
guest
none
demo
unix
linux
changeme
default
system
server
root
null
qwerty
mail
outlook
web
www
internet
accounts
accounting
home
homeuser
user
oem
oemuser
oeminstall
windows
win98
win2k
winxp
winnt
win2000
qaz
asd
zxc
qwe
bob
jen
joe
fred
bill
mike
john
peter
luke
sam
sue
susan
peter
brian
lee
neil
ian
chris
eric
george
kate
bob
katie
mary
login
loginpass
technical
backup
exchange
fuck
bitch
slut
sex
god
hell
hello
domain
domainpass
domainpassword
database
access
dbpass
dbpassword
databasepass
data
databasepassword
db1
db2
db1234
sql
sqlpassoainstall
orainstall
oracle
ibm
cisco
dell
compaq
siemens
nokia
control
office
blank
winpass
main
lan
internet
intranet
student
teacher
staff

Assuming the worm can authenticate to the target machine, it then tries to copy itself to these locations:

\\<target>\Admin$\system32
\\<target>\c$\winnt\system32
\\<target>\c$\windows\system32
\\<target>\c
\\<target>\d

It then schedules a remote job to run the worm copy on the target machine.

Via Exploits

Seenbot.O can also spread by exploiting vulnerabilities in Windows operating systems and third party applications. If it successfully exploits one of these, it executes a small amount of code on the target machine, which instructs it to connect back to the source in order to retrieve the complete worm executable. These connections back to the source use either the TFTP or FTP protocol; the worm acts as a FTP or TFTP server to deliver itself. The ports used for these servers are configurable.

This is a list of vulnerabilities that Seenbot.O may exploit:

Microsoft Windows LSASS buffer overflow vulnerability (TCP port 445)
http://www3.ca.com/threatinfo/vulninfo/vuln.aspx?id=27886
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
Microsoft Windows RPC malformed message buffer overflow vulnerability (TCP ports 135, 445, 1025)
http://www3.ca.com/threatinfo/vulninfo/vuln.aspx?ID=25454
http://www.microsoft.com/technet/security/bulletin/MS03-039.mspx (supersedes original bulletin MS03-026)
Microsoft Windows RPCSS malformed DCOM message buffer overflow vulnerabilities (TCP port 135)
http://www3.ca.com/threatinfo/vulninfo/vuln.aspx?ID=25975
http://www.microsoft.com/technet/security/bulletin/MS03-039.mspx
Exploits weak passwords on MS SQL servers, including the Microsoft SQL Server Desktop Engine blank 'sa' password vulnerability (TCP port 1433)
http://www3.ca.com/threatinfo/vulninfo/vuln.aspx?ID=5705
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q321081
Note: The worm tries the same password list as that used for spreading through shares, including a blank password. The SQL server accounts it attempts to log in to are "sa", "root" and "admin".

Via Previous System Compromise

Seenbot.O can also infect remote systems through backdoors created by other malware:
Win32.Sasser FTP vunerability (activity on port 5556)

Payload

Modifies System Settings

Seenbot appears to secure the machine from being further compromised by competing malware by making a number of modifications to the affected system:

Disables DCOM (used to enable network communication) by modifying the registry:
HKLM\Software\Microsoft\OLE\EnableDCOM = 0x0
Restricts access to the IPC$ share by setting the following value:
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous = 0x1
Disables shared access to the system by setting:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Start = 0x4
HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\Start = 0x4
HKLM\SYSTEM\CurrentControlSet\Services\wscsvc\Start = 0x4

Seenbot then deletes all network shares on the machine, dependent on the access privileges available to the current user.

Seenbot then adds the following shares for its own access:

IPC$
C$ (C:\)
D$ (D:\)

as well as shares for any logical fixed drives on the current system.

Backdoor Functionality (Port: 6667)

Seenbot opens a backdoor that allows unauthorized access to, and control of, an affected machine. It connects to an IRC channel via port 6667 on the domain dns.owns-the.us. Using this backdoor, its controller can perform the following actions on the machine: