Win32/Sddrop [Threat Name] go to Threat

Win32/Sddrop.B [Threat Variant Name]

Category worm
Size 26000 B
Detection created Apr 28, 2003
Detection database version 1400
Aliases P2P-Worm.Win32.SdDrop.e (Kaspersky)
  Worm:Win32/Sddrop.E (Microsoft)
  W32/Sddrop.worm.virus (McAfee)
  W32.Kwbot.F.Worm (Symantec)
Short description

Win32/Sddrop.B is a worm that spreads via P2P networks. The worm contains a backdoor. It can be controlled remotely. The file is run-time compressed using ASPack .

Installation

When executed, the worm creates the following files:

  • %system%\­ms_32.exe (26000 B)
  • %system%\­ms_bak.tmp.exe (14752 B)
  • %system%\­RunDll16.exe (14752 B)

In order to be executed on every system start, the worm sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "RDLL" = "RunDll16.exe"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­RunServices]
    • "RDLL" = "RunDll16.exe"
Spreading via P2P networks

Win32/Sddrop.B is a worm that spreads via P2P networks.


The worm creates copies of itself in folders accesed by the following application:

  • Kazaa
  • iMesh

The worm may create the following files in the %windows%\wTemp32 folder:

  • ad-aware 6.exe
  • american flag screensaver.exe
  • anno 1503_crack.exe
  • aol_instant_messenger.exe
  • avipreview.exe
  • battlefield1942_keygen.exe
  • bf1942 crack (new).exe
  • boost xp.exe
  • c&c g patch (new).exe
  • c&c generals crack 3.0.exe
  • c&c renegade_crack.exe
  • cursor xp.exe
  • daemon tools.exe
  • diablo 2 crack.exe
  • diet kazaa.exe
  • directx_9.exe
  • divx bundle +xvid.exe
  • divx_bundle_package_crack.exe
  • download accelerator plus 6.0.exe
  • dvd ripplus 2.3.exe
  • etrust_ez_anti-virus.exe
  • free ram xp pro.exe
  • getright 3.4.exe
  • global divx player.exe
  • global divx player 3.0.exe
  • gothic 2 licence.exe
  • gotomypc.exe
  • grokster.exe
  • gta3 no cd crack.exe
  • icq hacks.exe
  • icq lite.exe
  • icq pro 2003a beta.exe
  • imesh.exe
  • imesh 3.6.exe
  • imesh 3.7b (beta).exe
  • iparmor.exe
  • k-lite codec_pack 5.0.exe
  • kazaa 2 ++.exe
  • kazaa hack 2.5.0.exe
  • kazaa hack v2.1.exe
  • kazaa lite (new).exe
  • kazaa lite 1.7.2.exe
  • kazaa lite_privacy_tool.exe
  • kazaa preview extractor.exe
  • kazoom mp3 kazaa accelerator.exe
  • l0pht crack.exe
  • microsoft internet explorer sp1.exe
  • microsoft_products_crack.exe
  • morpheus.exe
  • msn_messenger 5.0.exe
  • nav_2003 crack.exe
  • nero burning rom 6.7.8.1.exe
  • nero burning rom_keygen.exe
  • net pumper.exe
  • never winter nights 4.3 crack.exe
  • nimo codec pack.exe
  • pop-up stopper.exe
  • pornpasswords.exe
  • privacy defender.exe
  • ptrack fasttrack manager 4.5.exe
  • quicktime.exe
  • quicktime_pro_crack.exe
  • ram booster.exe
  • reg scrub_xp.exe
  • serials_2003.exe
  • sof2 crack.exe
  • spam alarm.exe
  • spybot-search & destroy.exe
  • swish.exe
  • trillian pro with crack.exe
  • virtua girls.exe
  • winamp 3.8.exe
  • windows media player 9.5b.exe
  • windows_2000_keygen.exe
  • windows_xp_activation_crack.exe
  • windows_xp_keygen.exe
  • winmx.exe
  • winrar 3.5b.exe
  • winrar_crack.exe
  • winzip_crack.exe
  • ws_ftp_le.exe
  • xbox emulator.exe
  • xvid crack.exe
  • yahoo messenger.exe
  • zonealarmpro_crack.exe

The worm may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­iMesh\­Client\­LocalContent]
    • "Dir%number%" = "012345:C:\­WINDOWS\­wTemp32"
  • [HKEY_CURRENT_USER\­Software\­iMesh\­Client\­Transfer]
    • "UploadBandwidth" = 0
    • "ConcurrentUploads" = 5
  • [HKEY_CURRENT_USER\­Software\­Kazaa\­LocalContent]
    • "Dir%number%" = "012345:C:\­WINDOWS\­wTemp32"
    • "DisableSharing" = 0
  • [HKEY_CURRENT_USER\­Software\­Kazaa\­Transfer]
    • "NoUploadLimitWhenIdle" = 1
    • "ConcurrentUploads" = 5
    • "UploadBandwidth" = 0

A string with variable content is used instead of %number% .

Other information

The worm acquires data and commands from a remote computer or the Internet. It can be controlled remotely.


The worm connects to the following addresses:

  • xhum.ath.cx

The IRC protocol is used.


It can execute the following operations:

  • perform DoS/DDoS attacks
  • download files from a remote computer and/or the Internet
  • run executable files
  • spread via shared folders and P2P networks
  • perform port scanning
  • stop itself for a certain time period
  • redirect network traffic
  • collect information about the operating system used
  • remove itself from the infected computer
  • update itself to a newer version

The worm collects the following information:

  • computer name
  • user name
  • operating system version

The worm can send the information to a remote machine.

Please enable Javascript to ensure correct displaying of this content and refresh this page.