mindjail worm / sdbot 0.5b quick analysis by sloth <sloth@nopninjas.com>
July 1st, 2003

The Mindjail worm seems to be based off the trojan sdbot 0.5b. It gives 
the controller access to execute files, download and execute files over
the internet, and some DoS commands. The Mindjail version was modified
to act more like a worm. It has the capability to join channels and 
spam a self hosted URL where the trojan can be downloaded.

http://www.ryan1918.com/sd/sdbot

Here is the configuration of the mindjail version that I was able to get 
from memory after unpacking it. This is based on the declarations in the
sdbot source and may not correspond 100% with their descriptions. Some 
of the sensitive data has been encrypted and encoded with base64. 

     botid: worm_s1
  password: $1$e7HG.z0p$YY6hJEw3qG/5rkIM6PHWg0
    logins: 5?
    server: gHXo0O6Re6Pt1xydD3z6I5flkY8=
      port: 6667
   channel: rJ6SZ1rwWGgX6a/uPaF6kQ==
  chanpass: qFPy5berEF94KThCBvi8Qw==
   server2: WWF44BEoiWLJgbVOdnRrmQ==
  channel2: NULL
  topiccmd: True?  (set to TRUE to enable topic commands)
   rndfile: False?  (use random file name)
  filename: hpsched.exe  (destination file name)
  registry: True  (use the Run registry key for autostart)
   regserv: True?  (use the RunServices registry key)
  regvalue: hpsched  (name in registry)
   version: "mIRC v5.91 K.Mardam-Bey"  (irc version reply)
  cryptkey: "\x10"

When the spam feature is enabled it will join channels and message the users
with something similar to the following:

??? omqcwmtsd [~pdwcwmtsd@211.202.86.227] has joined #somewhere-efnet
??? omqcwmtsd [~pdwcwmtsd@211.202.86.227] has left #somewhere-efnet

[omqcwmtsd(~pdwcwmtsd@211.202.86.227)] The thought police are coming,
           they will lock you into your brain muzzle and put you into
           mindjail http://211.202.86.227:3030/mindjail.zip


char * decryptstr(char *str, int strlen) {
   if (cryptkey != 0)
     for (BYTE i = 0; i < strlen; i++)
       str[i] = str[i] ^ ( cryptkey + (i * (cryptkey % 10) + 1));
   return str;
}

The bot on the website doesn't come with a fully working encryption
scheme or IRC spam/worm features. The above function was included
in the source but never used in sdbot. Mindjail seems to use a 
different method for encoding the sensitive data.