Quick analysis of the Mindjail worm being distributed by the trojan sdbot 0.5b.
26ebc9f01fd758864df70c938ca2efe7b474be66d6b56fa845180199b9dcda51
mindjail worm / sdbot 0.5b quick analysis by sloth <sloth@nopninjas.com>
July 1st, 2003
The Mindjail worm seems to be based off the trojan sdbot 0.5b. It gives
the controller access to execute files, download and execute files over
the internet, and some DoS commands. The Mindjail version was modified
to act more like a worm. It has the capability to join channels and
spam a self hosted URL where the trojan can be downloaded.
http://www.ryan1918.com/sd/sdbot
Here is the configuration of the mindjail version that I was able to get
from memory after unpacking it. This is based on the declarations in the
sdbot source and may not correspond 100% with their descriptions. Some
of the sensitive data has been encrypted and encoded with base64.
botid: worm_s1
password: $1$e7HG.z0p$YY6hJEw3qG/5rkIM6PHWg0
logins: 5?
server: gHXo0O6Re6Pt1xydD3z6I5flkY8=
port: 6667
channel: rJ6SZ1rwWGgX6a/uPaF6kQ==
chanpass: qFPy5berEF94KThCBvi8Qw==
server2: WWF44BEoiWLJgbVOdnRrmQ==
channel2: NULL
topiccmd: True? (set to TRUE to enable topic commands)
rndfile: False? (use random file name)
filename: hpsched.exe (destination file name)
registry: True (use the Run registry key for autostart)
regserv: True? (use the RunServices registry key)
regvalue: hpsched (name in registry)
version: "mIRC v5.91 K.Mardam-Bey" (irc version reply)
cryptkey: "\x10"
When the spam feature is enabled it will join channels and message the users
with something similar to the following:
??? omqcwmtsd [~pdwcwmtsd@211.202.86.227] has joined #somewhere-efnet
??? omqcwmtsd [~pdwcwmtsd@211.202.86.227] has left #somewhere-efnet
[omqcwmtsd(~pdwcwmtsd@211.202.86.227)] The thought police are coming,
they will lock you into your brain muzzle and put you into
mindjail http://211.202.86.227:3030/mindjail.zip
char * decryptstr(char *str, int strlen) {
if (cryptkey != 0)
for (BYTE i = 0; i < strlen; i++)
str[i] = str[i] ^ ( cryptkey + (i * (cryptkey % 10) + 1));
return str;
}
The bot on the website doesn't come with a fully working encryption
scheme or IRC spam/worm features. The above function was included
in the source but never used in sdbot. Mindjail seems to use a
different method for encoding the sensitive data.