WORM_SDBOT.ERP

This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It modifies certain registry entries to disable Security Center functions. Doing this allows this malware to execute its routines without being detected. It modifies certain registry entries to disable automatic Service Pack 2 updates for affected systems running on Windows XP. It disables Task Manager, Registry Editor, and Folder Options.

Arrival Details

This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This worm drops the following copies of itself into the affected system:

• %Windows%\ntvdm.exe

(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)

Autostart Technique

This worm registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_NTVDM.\
0000
Service = "NTVDM."

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\NTVDM.
ImagePath = "%Windows%\ntvdm.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\NTVDM.
DisplayName = "NTVDM."

It modifies the following registry entries to ensure it automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Shell = "Explorer.exe %Windows%\ntvdm.exe"

(Note: The default value data of the said registry entry is "Explorer.exe".)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
SFCDisable = "{hex}"

(Note: The default value data of the said registry entry is 0.)

It registers as a system service to ensure its automatic execution at every system startup by adding the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_NTVDM.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_NTVDM.\
0000

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Enum\Root\LEGACY_NTVDM.\
0000\Control

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\NTVDM.

Other System Modifications

This worm adds the following registry entries as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\
LiveUpdate Admin
Enterprise Security Manager = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\
LiveUpdate Admin
Intruder Alert = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\
LiveUpdate Admin
LiveAdvisor = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\
LiveUpdate Admin
LiveUpdate = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\
LiveUpdate Admin
Norton AntiVirus Product Updates = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\
LiveUpdate Admin
Norton AntiVirus Virus Definitions = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\
LiveUpdate Admin
Norton CleanSweep = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\
LiveUpdate Admin
Norton Commander = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\
LiveUpdate Admin
Norton Internet Security = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\
LiveUpdate Admin
Norton SystemWorks = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\
LiveUpdate Admin
Norton Utilities = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\
LiveUpdate Admin
PC Handyman and HealthyPC = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\
LiveUpdate Admin
pcANYWHERE = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\
LiveUpdate Admin
Rescue Disk = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\
LiveUpdate Admin
Symantec Desktop Firewall = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\
LiveUpdate Admin
Symantec Gateway Security IDS = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\
LiveUpdate Admin
SymEvent = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\
LiveUpdate Admin
Ghost = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\
LiveUpdate Admin
NetRecon = "1"

It adds the following registry keys as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\
LiveUpdate Admin

It modifies the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Ole
EnableDCOM = "N"

(Note: The default value data of the said registry entry is Y.)

It modifies the following registry entries to disable Security Center functions:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
UpdatesDisableNotify = "1"

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
AntiVirusDisableNotify = "1"

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
FirewallDisableNotify = "1"

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
AntiVirusOverride = "1"

(Note: The default value data of the said registry entry is 0.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
FirewallOverride = "1"

(Note: The default value data of the said registry entry is 0.)

It modifies the following registry entries to disable automatic Service Pack 2 updates for affected systems running on Windows XP:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2 = "1"

(Note: The default value data of the said registry entry is 0.)

It creates the following registry entry(ies) to disable Task Manager, Registry Tools and Folder Options:

HKEY_USERS\.DEFAULT\Software\
Microsoft\Windows\CurrentVersion\
Policies\System
DisableTaskMgr = "1"

HKEY_USERS\.DEFAULT\Software\
Microsoft\Windows\CurrentVersion\
Policies\System
DisableRegistryTools = "1"

It creates the following registry entry(ies) to bypass Windows Firewall:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\WindowsFirewall\DomainProfile
EnableFirewall = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\WindowsFirewall\StandardProfile
EnableFirewall = "0"