mindjail worm / sdbot 0.5b quick analysis by sloth July 1st, 2003 The Mindjail worm seems to be based off the trojan sdbot 0.5b. It gives the controller access to execute files, download and execute files over the internet, and some DoS commands. The Mindjail version was modified to act more like a worm. It has the capability to join channels and spam a self hosted URL where the trojan can be downloaded. http://www.ryan1918.com/sd/sdbot Here is the configuration of the mindjail version that I was able to get from memory after unpacking it. This is based on the declarations in the sdbot source and may not correspond 100% with their descriptions. Some of the sensitive data has been encrypted and encoded with base64. botid: worm_s1 password: $1$e7HG.z0p$YY6hJEw3qG/5rkIM6PHWg0 logins: 5? server: gHXo0O6Re6Pt1xydD3z6I5flkY8= port: 6667 channel: rJ6SZ1rwWGgX6a/uPaF6kQ== chanpass: qFPy5berEF94KThCBvi8Qw== server2: WWF44BEoiWLJgbVOdnRrmQ== channel2: NULL topiccmd: True? (set to TRUE to enable topic commands) rndfile: False? (use random file name) filename: hpsched.exe (destination file name) registry: True (use the Run registry key for autostart) regserv: True? (use the RunServices registry key) regvalue: hpsched (name in registry) version: "mIRC v5.91 K.Mardam-Bey" (irc version reply) cryptkey: "\x10" When the spam feature is enabled it will join channels and message the users with something similar to the following: ??? omqcwmtsd [~pdwcwmtsd@211.202.86.227] has joined #somewhere-efnet ??? omqcwmtsd [~pdwcwmtsd@211.202.86.227] has left #somewhere-efnet [omqcwmtsd(~pdwcwmtsd@211.202.86.227)] The thought police are coming, they will lock you into your brain muzzle and put you into mindjail http://211.202.86.227:3030/mindjail.zip char * decryptstr(char *str, int strlen) { if (cryptkey != 0) for (BYTE i = 0; i < strlen; i++) str[i] = str[i] ^ ( cryptkey + (i * (cryptkey % 10) + 1)); return str; } The bot on the website doesn't come with a fully working encryption scheme or IRC spam/worm features. The above function was included in the source but never used in sdbot. Mindjail seems to use a different method for encoding the sensitive data.