WORM_SDBOT.CEM

September 08, 2010

PLATFORM:

Windows 2000, XP, Server 2003

OVERALL RISK RATING:

DAMAGE POTENTIAL:

DISTRIBUTION POTENTIAL:

REPORTED INFECTION:

Threat Type: Worm
Destructiveness: No
Encrypted:
In the wild: Yes

OVERVIEW

It may be unknowingly downloaded by a user while visiting malicious websites.
It may be dropped by other malware.
It adds registry entries to enable its automatic execution at every system startup.
It connects to Internet Relay Check (IRC) servers.
It propagates via shared networks and drops copies of itself into available networks.
It uses a sniffer to get passwords from network packets. This action allows this malware to get login passwords for computers connected to the system.
It logs a user's keystrokes to steal information.
It steals CD keys, serial numbers, and/or the application product IDs of certain software. tolen information may be used for profit by cybercriminals who may gain access to the information.
It deletes itself after execution.
It bypasses the Windows firewall. This allows the malware to perform its intended routine without being detected by an installed firewall.
It exploits software vulnerabilities to propagate to other computers across a network.

TECHNICAL DETAILS

Initial Samples Received Date:

01 Jan 0001

Arrival Details

It may be unknowingly downloaded by a user while visiting malicious websites.

It may be dropped by other malware.

Autostart Technique

It adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Update='host.exe'

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Windows Update='host.exe'

HKEY_CURRENT_USER\Software\Microsoft\OLE
Windows Update='host.exe'

Backdoor Routine

It connects to any of the following Internet Relay Chat (IRC) servers:

blah.swapixtreme.com:7878

It joins any of the following IRC channel(s):

File Infection

It propagates via shared networks and drops copies of itself into available networks.

Information Theft

It launches a carnivore sniffer to retrieve passwords from network packets using certain strings.

It logs a user's keystrokes to steal information.

It steals CD keys, serial numbers, and/or the application product IDs of certain software.

Installation

It drops the following copies of itself into the affected system:

%System%\host.exe

It deletes itself after execution.

Other Details

More information on this vulnerability can be found below:

http://www.microsoft.com/technet/security/bulletin/ms03-039.mspx

http://www.microsoft.com/technet/security/bulletin/ms03-026.mspx

http://www.microsoft.com/technet/security/bulletin/ms03-049.mspx

http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx

http://www.securityfocus.com/bid/1055/solution

Other System Modifications

It adds the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MaxConnectionsPer1_0Server=80

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MaxConnectionsPerServer=80

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
EnableRemoteConnect='N'

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT1.0\Server
Enabled=0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareWks=0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareServer=0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
TCP1320Opts=3

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
KeepAliveTime=144000

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
BcastQueryTimeout=750

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
BcastNameQueryCount=1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
CacheTimeout=60000

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Size/Small/Medium/Large=3

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
LargeBufferSize=4096

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
SynAckProtect=2

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
PerformRouterDiscovery=0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
EnablePMTUBHDetect=0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
FastSendDatagramThreshold=1024

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
StandardAddressLength=24

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
DefaultReceiveWindow=16384

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
DefaultSendWindow=16384

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
BufferMultiplier=512

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
PriorityBoost=2

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
IrpStackSize=4

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
IgnorePushBitOnReceives=0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
DisableAddressSharing=0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
AllowUserRawAccess=0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
DisableRawSecurity=0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
DynamicBacklogGrowthDelta=50

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
FastCopyReceiveThreshold=1024

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
LargeBufferListDepth=10

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
MaxActiveTransmitFileCount=2

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
MaxFastTransmit=64

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
OverheadChargeGranularity=1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
SmallBufferListDepth=32

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
SmallerBufferSize=128

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
TransmitWorker=32

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
DNSQueryTimeouts={random hex values}

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
DefaultRegistrationTTL=20

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
DisableReplaceAddressesInConflicts=0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
DisableReverseAddressRegistrations=1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
UpdateSecurityLevel=0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
QueryIpMatching=0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
NoNameReleaseOnDemand=1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
EnableDeadGWDetect=0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
EnableFastRouteLookup=1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
MaxFreeTcbs=2000

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
MaxHashTableSize=2048

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
SackOpts=1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Tcp1323Opts=3

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
TcpMaxDupAcks=1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
TcpRecvSegmentSize=1413

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
TcpSendSegmentSize=1413

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
DefaultTTL=48

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
TcpMaxHalfOpen=75

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
TcpMaxHalfOpenRetried=80

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
MaxNormLookupMemory=200000

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
FFPControlFlags=1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
FFPFastForwardingCacheSize=200000

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
MaxForwardBufferMemory=105975

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
MaxFreeTWTcbs=2000

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
GlobalMaxTcpWindowSize=512512

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
EnablePMTUDiscovery=1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
ForwardBufferMemory=105975

It modifies the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Services\wscsvc
Start=4

(Note: The default value data of the said registry entry is 2.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess
Start=4

(Note: The default value data of the said registry entry is 3.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv
Start=4

(Note: The default value data of the said registry entry is 2.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
EnableDCOM='N'

(Note: The default value data of the said registry entry is 'Y'.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous=1

(Note: The default value data of the said registry entry is 0.)

It modifies the following registry entries to disable the Windows Firewall settings:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
%System%\host.exe='%system\host.exe:*:Enabled:host%'

Propagation

It exploits the following software vulnerabilities to propagate to other computers across a network:

Buffer Overrun In RPCSS Service Could Allow Code Execution (MS03-039)

Buffer Overrun In RPC Interface Could Allow Code Execution (MS03-026)

Buffer Overrun in the Workstation Service Could Allow Code Execution (MS03-049)

MS04-011

SQL Weak Password Exploit (CVE-2000-0199)

SOLUTION

Minimum Scan Engine:

8.900

Step 1
For Windows ME and XP users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.

Step 2
Terminate this process

[ Learn More ]

For Windows 98 and ME users, the Windows Task Manager may not display all running processes. In this case, please use a third-party process viewer, preferably Process Explorer, to terminate the malware/grayware/spyware file. You may download the said tool here.
If the detected file is displayed in either Windows Task Manager or Process Explorer but you cannot delete it, restart your computer in safe mode. To do this, refer to this link for the complete steps.
If the detected file is not displayed in either Windows Task Manager or Process Explorer, continue doing the next steps.

Step 3
Delete this registry value This step allows you to delete the registry value created by the malware.

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- Windows Update=host.exe
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
- Windows Update=host.exe
In HKEY_CURRENT_USER\Software\Microsoft\OLE
- Windows Update=host.exe
In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
- MaxConnectionsPer1_0Server=80
In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
- MaxConnectionsPerServer=80
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
- EnableRemoteConnect=N
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT1.0\Server
- Enabled=0
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
- AutoShareWks=0
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
- AutoShareServer=0
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- TCP1320Opts=3
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- KeepAliveTime=144000
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- BcastQueryTimeout=750
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- BcastNameQueryCount=1
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- CacheTimeout=60000
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- Size/Small/Medium/Large=3
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- LargeBufferSize=4096
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- SynAckProtect=2
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- PerformRouterDiscovery=0
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- EnablePMTUBHDetect=0
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- FastSendDatagramThreshold=1024
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- StandardAddressLength=24
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- DefaultReceiveWindow=16384
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- DefaultSendWindow=16384
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- BufferMultiplier=512
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- PriorityBoost=2
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- IrpStackSize=4
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- IgnorePushBitOnReceives=0
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- DisableAddressSharing=0
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- AllowUserRawAccess=0
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- DisableRawSecurity=0
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- DynamicBacklogGrowthDelta=50
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- FastCopyReceiveThreshold=1024
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- LargeBufferListDepth=10
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- MaxActiveTransmitFileCount=2
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- MaxFastTransmit=64
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- OverheadChargeGranularity=1
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- SmallBufferListDepth=32
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- SmallerBufferSize=128
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- TransmitWorker=32
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- DNSQueryTimeouts={random hex values}
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- DefaultRegistrationTTL=20
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- DisableReplaceAddressesInConflicts=0
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- DisableReverseAddressRegistrations=1
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- UpdateSecurityLevel=0
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- QueryIpMatching=0
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- NoNameReleaseOnDemand=1
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- EnableDeadGWDetect=0
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- EnableFastRouteLookup=1
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- MaxFreeTcbs=2000
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- MaxHashTableSize=2048
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- SackOpts=1
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- Tcp1323Opts=3
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- TcpMaxDupAcks=1
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- TcpRecvSegmentSize=1413
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- TcpSendSegmentSize=1413
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- DefaultTTL=48
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- TcpMaxHalfOpen=75
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- TcpMaxHalfOpenRetried=80
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- MaxNormLookupMemory=200000
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- FFPControlFlags=1
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- FFPFastForwardingCacheSize=200000
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- MaxForwardBufferMemory=105975
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- MaxFreeTWTcbs=2000
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- GlobalMaxTcpWindowSize=512512
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- EnablePMTUDiscovery=1
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- ForwardBufferMemory=105975

To delete the registry value this malware created:

Open Registry Editor. To do this, click Start>Run, type regedit in the text box provided, then press Enter.
In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows>CurrentVersion>Run
In the right panel, locate and delete the entry:
Windows Update=host.exe
In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows>CurrentVersion>RunServices
In the right panel, locate and delete the entry:
Windows Update=host.exe
In the left panel of the Registry Editor window, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>OLE
In the right panel, locate and delete the entry:
Windows Update=host.exe
In the left panel of the Registry Editor window, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>Windows>CurrentVersion>Internet Settings
In the right panel, locate and delete the entry:
MaxConnectionsPer1_0Server=80
In the left panel of the Registry Editor window, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>Windows>CurrentVersion>Internet Settings
In the right panel, locate and delete the entry:
MaxConnectionsPerServer=80
In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Ole
In the right panel, locate and delete the entry:
EnableRemoteConnect=N
In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Control>SecurityProviders>SCHANNEL>Protocols>PCT1.0>Server
In the right panel, locate and delete the entry:
Enabled=0
In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>lanmanserver>parameters
In the right panel, locate and delete the entry:
AutoShareWks=0
In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>lanmanserver>parameters
In the right panel, locate and delete the entry:
AutoShareServer=0
In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
In the right panel, locate and delete the entry:
TCP1320Opts=3
In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
In the right panel, locate and delete the entry:
KeepAliveTime=144000
In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
In the right panel, locate and delete the entry:
BcastQueryTimeout=750
In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
In the right panel, locate and delete the entry:
BcastNameQueryCount=1
In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
In the right panel, locate and delete the entry:
CacheTimeout=60000
In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
In the right panel, locate and delete the entry:
Size/Small/Medium/Large=3
In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
In the right panel, locate and delete the entry:
LargeBufferSize=4096
In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
In the right panel, locate and delete the entry:
SynAckProtect=2
In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
In the right panel, locate and delete the entry:
PerformRouterDiscovery=0
In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
In the right panel, locate and delete the entry:
EnablePMTUBHDetect=0
In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
In the right panel, locate and delete the entry:
FastSendDatagramThreshold=1024
In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
In the right panel, locate and delete the entry:
StandardAddressLength=24
In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
In the right panel, locate and delete the entry:
DefaultReceiveWindow=16384
In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
In the right panel, locate and delete the entry:
DefaultSendWindow=16384
In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
In the right panel, locate and delete the entry:
BufferMultiplier=512
In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
In the right panel, locate and delete the entry:
PriorityBoost=2
In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
In the right panel, locate and delete the entry:
IrpStackSize=4
In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
In the right panel, locate and delete the entry:
IgnorePushBitOnReceives=0
In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
In the right panel, locate and delete the entry:
DisableAddressSharing=0
In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
In the right panel, locate and delete the entry:
AllowUserRawAccess=0
In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
In the right panel, locate and delete the entry:
DisableRawSecurity=0
In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
In the right panel, locate and delete the entry:
DynamicBacklogGrowthDelta=50
In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
In the right panel, locate and delete the entry:
FastCopyReceiveThreshold=1024
In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
In the right panel, locate and delete the entry:
LargeBufferListDepth=10
In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
In the right panel, locate and delete the entry:
MaxActiveTransmitFileCount=2
In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
In the right panel, locate and delete the entry:
MaxFastTransmit=64
In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
In the right panel, locate and delete the entry:
OverheadChargeGranularity=1
In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
In the right panel, locate and delete the entry:
SmallBufferListDepth=32
In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
In the right panel, locate and delete the entry:
SmallerBufferSize=128
In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
In the right panel, locate and delete the entry:
TransmitWorker=32
In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
In the right panel, locate and delete the entry:
DNSQueryTimeouts={random hex values}
In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
In the right panel, locate and delete the entry:
DefaultRegistrationTTL=20
In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
In the right panel, locate and delete the entry:
DisableReplaceAddressesInConflicts=0
In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
In the right panel, locate and delete the entry:
DisableReverseAddressRegistrations=1
In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
In the right panel, locate and delete the entry:
UpdateSecurityLevel=0
In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
In the right panel, locate and delete the entry:
QueryIpMatching=0
In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
In the right panel, locate and delete the entry:
NoNameReleaseOnDemand=1
In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
In the right panel, locate and delete the entry:
EnableDeadGWDetect=0
In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
In the right panel, locate and delete the entry:
EnableFastRouteLookup=1
In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
In the right panel, locate and delete the entry:
MaxFreeTcbs=2000
In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
In the right panel, locate and delete the entry:
MaxHashTableSize=2048
In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
In the right panel, locate and delete the entry:
SackOpts=1
In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
In the right panel, locate and delete the entry:
Tcp1323Opts=3
In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
In the right panel, locate and delete the entry:
TcpMaxDupAcks=1
In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
In the right panel, locate and delete the entry:
TcpRecvSegmentSize=1413
In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
In the right panel, locate and delete the entry:
TcpSendSegmentSize=1413
In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
In the right panel, locate and delete the entry:
DefaultTTL=48
In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
In the right panel, locate and delete the entry:
TcpMaxHalfOpen=75
In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
In the right panel, locate and delete the entry:
TcpMaxHalfOpenRetried=80
In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
In the right panel, locate and delete the entry:
MaxNormLookupMemory=200000
In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
In the right panel, locate and delete the entry:
FFPControlFlags=1
In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
In the right panel, locate and delete the entry:
FFPFastForwardingCacheSize=200000
In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
In the right panel, locate and delete the entry:
MaxForwardBufferMemory=105975
In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
In the right panel, locate and delete the entry:
MaxFreeTWTcbs=2000
In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
In the right panel, locate and delete the entry:
GlobalMaxTcpWindowSize=512512
In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
In the right panel, locate and delete the entry:
EnablePMTUDiscovery=1
In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
In the right panel, locate and delete the entry:
ForwardBufferMemory=105975
Close Registry Editor.

Step 4
Restore this modified registry value This step allows you to undo a change done by the malware/grayware/spyware to a registry value.

In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Services\wscsvc
- From: Start=4
  To: Start=2
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess
- From: Start=4
  To: Start=3
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv
- From: Start=4
  To: Start=2
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
- From: EnableDCOM=N
  To: EnableDCOM=Y
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
- From: restrictanonymous=1
  To: restrictanonymous=0

To restore the registry value this malware/grayware/spyware modified:

Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>ControlSet>Services>wscsvc
In the right panel, locate the registry value:
Start=4
Right-click on the value name and choose Modify. Change the value data of this entry to:
Start=2
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>ControlSet>Services>wscsvc
In the right panel, locate the registry value:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>SharedAccess
Right-click on the value name and choose Modify. Change the value data of this entry to:
Start=4Start=3
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>ControlSet>Services>wscsvc
In the right panel, locate the registry value:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>wuauserv
Right-click on the value name and choose Modify. Change the value data of this entry to:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>OleEnableDCOM=NEnableDCOM=Y
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>ControlSet>Services>wscsvc
In the right panel, locate the registry value:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Control>Lsa
Right-click on the value name and choose Modify. Change the value data of this entry to:
restrictanonymous=1restrictanonymous=0
Close Registry Editor.

Step 5
Scan your computer with your Trend Micro product to delete files detected as WORM_SDBOT.CEM If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

Step 6
Download and apply these security patches Refrain from using these products until the appropriate patches have been installed. Trend Micro advises users to download critical patches upon release by vendors. http://www.microsoft.com/technet/security/bulletin/ms03-039.mspx
http://www.microsoft.com/technet/security/bulletin/ms03-026.mspx
http://www.microsoft.com/technet/security/bulletin/ms03-049.mspx
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
http://www.securityfocus.com/bid/1055/solution

Did this description help? Tell us how we did.

WORM_SDBOT.CEM

OVERVIEW

TECHNICAL DETAILS

SOLUTION

參考資源

技術支援

關於趨勢

WORM_SDBOT.CEM

OVERVIEW

TECHNICAL DETAILS

SOLUTION

參考資源

技術支援

關於趨勢

美洲 (The Americas)

中東與非洲 (Middle East & Africa)

歐洲

亞太地區 (Asia Pacific)