WORM_SDBOT.CEM
Windows 2000, XP, Server 2003
Threat Type: Worm
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
It may be unknowingly downloaded by a user while visiting malicious websites.
It may be dropped by other malware.
It adds registry entries to enable its automatic execution at every system startup.
It connects to Internet Relay Check (IRC) servers.
It propagates via shared networks and drops copies of itself into available networks.
It uses a sniffer to get passwords from network packets. This action allows this malware to get login passwords for computers connected to the system.
It logs a user's keystrokes to steal information.
It steals CD keys, serial numbers, and/or the application product IDs of certain software. tolen information may be used for profit by cybercriminals who may gain access to the information.
It deletes itself after execution.
It bypasses the Windows firewall. This allows the malware to perform its intended routine without being detected by an installed firewall.
It exploits software vulnerabilities to propagate to other computers across a network.
TECHNICAL DETAILS
Arrival Details
It may be unknowingly downloaded by a user while visiting malicious websites.
It may be dropped by other malware.
Autostart Technique
It adds the following registry entries to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Update='host.exe'
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Windows Update='host.exe'
HKEY_CURRENT_USER\Software\Microsoft\OLE
Windows Update='host.exe'
Backdoor Routine
It connects to any of the following Internet Relay Chat (IRC) servers:
- blah.swapixtreme.com:7878
It joins any of the following IRC channel(s):
- #b
File Infection
It propagates via shared networks and drops copies of itself into available networks.
Information Theft
It launches a carnivore sniffer to retrieve passwords from network packets using certain strings.
It logs a user's keystrokes to steal information.
It steals CD keys, serial numbers, and/or the application product IDs of certain software.
Installation
It drops the following copies of itself into the affected system:
- %System%\host.exe
It deletes itself after execution.
Other Details
More information on this vulnerability can be found below:
- http://www.microsoft.com/technet/security/bulletin/ms03-039.mspx
- http://www.microsoft.com/technet/security/bulletin/ms03-026.mspx
- http://www.microsoft.com/technet/security/bulletin/ms03-049.mspx
- http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
- http://www.securityfocus.com/bid/1055/solution
Other System Modifications
It adds the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MaxConnectionsPer1_0Server=80
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MaxConnectionsPerServer=80
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
EnableRemoteConnect='N'
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT1.0\Server
Enabled=0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareWks=0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareServer=0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
TCP1320Opts=3
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
KeepAliveTime=144000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
BcastQueryTimeout=750
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
BcastNameQueryCount=1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
CacheTimeout=60000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Size/Small/Medium/Large=3
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
LargeBufferSize=4096
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
SynAckProtect=2
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
PerformRouterDiscovery=0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
EnablePMTUBHDetect=0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
FastSendDatagramThreshold=1024
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
StandardAddressLength=24
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
DefaultReceiveWindow=16384
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
DefaultSendWindow=16384
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
BufferMultiplier=512
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
PriorityBoost=2
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
IrpStackSize=4
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
IgnorePushBitOnReceives=0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
DisableAddressSharing=0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
AllowUserRawAccess=0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
DisableRawSecurity=0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
DynamicBacklogGrowthDelta=50
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
FastCopyReceiveThreshold=1024
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
LargeBufferListDepth=10
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
MaxActiveTransmitFileCount=2
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
MaxFastTransmit=64
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
OverheadChargeGranularity=1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
SmallBufferListDepth=32
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
SmallerBufferSize=128
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
TransmitWorker=32
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
DNSQueryTimeouts={random hex values}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
DefaultRegistrationTTL=20
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
DisableReplaceAddressesInConflicts=0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
DisableReverseAddressRegistrations=1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
UpdateSecurityLevel=0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
QueryIpMatching=0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
NoNameReleaseOnDemand=1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
EnableDeadGWDetect=0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
EnableFastRouteLookup=1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
MaxFreeTcbs=2000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
MaxHashTableSize=2048
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
SackOpts=1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Tcp1323Opts=3
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
TcpMaxDupAcks=1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
TcpRecvSegmentSize=1413
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
TcpSendSegmentSize=1413
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
DefaultTTL=48
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
TcpMaxHalfOpen=75
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
TcpMaxHalfOpenRetried=80
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
MaxNormLookupMemory=200000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
FFPControlFlags=1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
FFPFastForwardingCacheSize=200000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
MaxForwardBufferMemory=105975
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
MaxFreeTWTcbs=2000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
GlobalMaxTcpWindowSize=512512
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
EnablePMTUDiscovery=1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
ForwardBufferMemory=105975
It modifies the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Services\wscsvc
Start=4
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess
Start=4
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv
Start=4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
EnableDCOM='N'
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous=1
It modifies the following registry entries to disable the Windows Firewall settings:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
%System%\host.exe='%system\host.exe:*:Enabled:host%'
Propagation
It exploits the following software vulnerabilities to propagate to other computers across a network:
- Buffer Overrun In RPCSS Service Could Allow Code Execution (MS03-039)
- Buffer Overrun In RPC Interface Could Allow Code Execution (MS03-026)
- Buffer Overrun in the Workstation Service Could Allow Code Execution (MS03-049)
- MS04-011
- SQL Weak Password Exploit (CVE-2000-0199)
SOLUTION
Step 1
For Windows ME and XP users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.
Step 2
Terminate this process
- For Windows 98 and ME users, the Windows Task Manager may not display all running processes. In this case, please use a third-party process viewer, preferably Process Explorer, to terminate the malware/grayware/spyware file. You may download the said tool here.
- If the detected file is displayed in either Windows Task Manager or Process Explorer but you cannot delete it, restart your computer in safe mode. To do this, refer to this link for the complete steps.
- If the detected file is not displayed in either Windows Task Manager or Process Explorer, continue doing the next steps.
Step 3
Delete this registry value This step allows you to delete the registry value created by the malware.
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- Windows Update=host.exe
- Windows Update=host.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
- Windows Update=host.exe
- Windows Update=host.exe
- In HKEY_CURRENT_USER\Software\Microsoft\OLE
- Windows Update=host.exe
- Windows Update=host.exe
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
- MaxConnectionsPer1_0Server=80
- MaxConnectionsPer1_0Server=80
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
- MaxConnectionsPerServer=80
- MaxConnectionsPerServer=80
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
- EnableRemoteConnect=N
- EnableRemoteConnect=N
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT1.0\Server
- Enabled=0
- Enabled=0
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
- AutoShareWks=0
- AutoShareWks=0
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
- AutoShareServer=0
- AutoShareServer=0
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- TCP1320Opts=3
- TCP1320Opts=3
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- KeepAliveTime=144000
- KeepAliveTime=144000
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- BcastQueryTimeout=750
- BcastQueryTimeout=750
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- BcastNameQueryCount=1
- BcastNameQueryCount=1
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- CacheTimeout=60000
- CacheTimeout=60000
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- Size/Small/Medium/Large=3
- Size/Small/Medium/Large=3
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- LargeBufferSize=4096
- LargeBufferSize=4096
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- SynAckProtect=2
- SynAckProtect=2
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- PerformRouterDiscovery=0
- PerformRouterDiscovery=0
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- EnablePMTUBHDetect=0
- EnablePMTUBHDetect=0
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- FastSendDatagramThreshold=1024
- FastSendDatagramThreshold=1024
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- StandardAddressLength=24
- StandardAddressLength=24
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- DefaultReceiveWindow=16384
- DefaultReceiveWindow=16384
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- DefaultSendWindow=16384
- DefaultSendWindow=16384
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- BufferMultiplier=512
- BufferMultiplier=512
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- PriorityBoost=2
- PriorityBoost=2
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- IrpStackSize=4
- IrpStackSize=4
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- IgnorePushBitOnReceives=0
- IgnorePushBitOnReceives=0
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- DisableAddressSharing=0
- DisableAddressSharing=0
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- AllowUserRawAccess=0
- AllowUserRawAccess=0
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- DisableRawSecurity=0
- DisableRawSecurity=0
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- DynamicBacklogGrowthDelta=50
- DynamicBacklogGrowthDelta=50
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- FastCopyReceiveThreshold=1024
- FastCopyReceiveThreshold=1024
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- LargeBufferListDepth=10
- LargeBufferListDepth=10
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- MaxActiveTransmitFileCount=2
- MaxActiveTransmitFileCount=2
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- MaxFastTransmit=64
- MaxFastTransmit=64
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- OverheadChargeGranularity=1
- OverheadChargeGranularity=1
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- SmallBufferListDepth=32
- SmallBufferListDepth=32
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- SmallerBufferSize=128
- SmallerBufferSize=128
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- TransmitWorker=32
- TransmitWorker=32
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- DNSQueryTimeouts={random hex values}
- DNSQueryTimeouts={random hex values}
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- DefaultRegistrationTTL=20
- DefaultRegistrationTTL=20
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- DisableReplaceAddressesInConflicts=0
- DisableReplaceAddressesInConflicts=0
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- DisableReverseAddressRegistrations=1
- DisableReverseAddressRegistrations=1
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- UpdateSecurityLevel=0
- UpdateSecurityLevel=0
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- QueryIpMatching=0
- QueryIpMatching=0
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- NoNameReleaseOnDemand=1
- NoNameReleaseOnDemand=1
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- EnableDeadGWDetect=0
- EnableDeadGWDetect=0
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- EnableFastRouteLookup=1
- EnableFastRouteLookup=1
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- MaxFreeTcbs=2000
- MaxFreeTcbs=2000
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- MaxHashTableSize=2048
- MaxHashTableSize=2048
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- SackOpts=1
- SackOpts=1
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- Tcp1323Opts=3
- Tcp1323Opts=3
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- TcpMaxDupAcks=1
- TcpMaxDupAcks=1
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- TcpRecvSegmentSize=1413
- TcpRecvSegmentSize=1413
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- TcpSendSegmentSize=1413
- TcpSendSegmentSize=1413
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- DefaultTTL=48
- DefaultTTL=48
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- TcpMaxHalfOpen=75
- TcpMaxHalfOpen=75
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- TcpMaxHalfOpenRetried=80
- TcpMaxHalfOpenRetried=80
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- MaxNormLookupMemory=200000
- MaxNormLookupMemory=200000
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- FFPControlFlags=1
- FFPControlFlags=1
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- FFPFastForwardingCacheSize=200000
- FFPFastForwardingCacheSize=200000
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- MaxForwardBufferMemory=105975
- MaxForwardBufferMemory=105975
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- MaxFreeTWTcbs=2000
- MaxFreeTWTcbs=2000
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- GlobalMaxTcpWindowSize=512512
- GlobalMaxTcpWindowSize=512512
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- EnablePMTUDiscovery=1
- EnablePMTUDiscovery=1
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- ForwardBufferMemory=105975
- ForwardBufferMemory=105975
To delete the registry value this malware created:
- Open Registry Editor. To do this, click Start>Run, type regedit in the text box provided, then press Enter.
- In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows>CurrentVersion>Run - In the right panel, locate and delete the entry:
Windows Update=host.exe - In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows>CurrentVersion>RunServices - In the right panel, locate and delete the entry:
Windows Update=host.exe - In the left panel of the Registry Editor window, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>OLE - In the right panel, locate and delete the entry:
Windows Update=host.exe - In the left panel of the Registry Editor window, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>Windows>CurrentVersion>Internet Settings - In the right panel, locate and delete the entry:
MaxConnectionsPer1_0Server=80 - In the left panel of the Registry Editor window, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>Windows>CurrentVersion>Internet Settings - In the right panel, locate and delete the entry:
MaxConnectionsPerServer=80 - In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Ole - In the right panel, locate and delete the entry:
EnableRemoteConnect=N - In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Control>SecurityProviders>SCHANNEL>Protocols>PCT1.0>Server - In the right panel, locate and delete the entry:
Enabled=0 - In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>lanmanserver>parameters - In the right panel, locate and delete the entry:
AutoShareWks=0 - In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>lanmanserver>parameters - In the right panel, locate and delete the entry:
AutoShareServer=0 - In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters - In the right panel, locate and delete the entry:
TCP1320Opts=3 - In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters - In the right panel, locate and delete the entry:
KeepAliveTime=144000 - In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters - In the right panel, locate and delete the entry:
BcastQueryTimeout=750 - In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters - In the right panel, locate and delete the entry:
BcastNameQueryCount=1 - In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters - In the right panel, locate and delete the entry:
CacheTimeout=60000 - In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters - In the right panel, locate and delete the entry:
Size/Small/Medium/Large=3 - In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters - In the right panel, locate and delete the entry:
LargeBufferSize=4096 - In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters - In the right panel, locate and delete the entry:
SynAckProtect=2 - In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters - In the right panel, locate and delete the entry:
PerformRouterDiscovery=0 - In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters - In the right panel, locate and delete the entry:
EnablePMTUBHDetect=0 - In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters - In the right panel, locate and delete the entry:
FastSendDatagramThreshold=1024 - In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters - In the right panel, locate and delete the entry:
StandardAddressLength=24 - In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters - In the right panel, locate and delete the entry:
DefaultReceiveWindow=16384 - In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters - In the right panel, locate and delete the entry:
DefaultSendWindow=16384 - In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters - In the right panel, locate and delete the entry:
BufferMultiplier=512 - In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters - In the right panel, locate and delete the entry:
PriorityBoost=2 - In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters - In the right panel, locate and delete the entry:
IrpStackSize=4 - In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters - In the right panel, locate and delete the entry:
IgnorePushBitOnReceives=0 - In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters - In the right panel, locate and delete the entry:
DisableAddressSharing=0 - In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters - In the right panel, locate and delete the entry:
AllowUserRawAccess=0 - In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters - In the right panel, locate and delete the entry:
DisableRawSecurity=0 - In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters - In the right panel, locate and delete the entry:
DynamicBacklogGrowthDelta=50 - In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters - In the right panel, locate and delete the entry:
FastCopyReceiveThreshold=1024 - In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters - In the right panel, locate and delete the entry:
LargeBufferListDepth=10 - In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters - In the right panel, locate and delete the entry:
MaxActiveTransmitFileCount=2 - In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters - In the right panel, locate and delete the entry:
MaxFastTransmit=64 - In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters - In the right panel, locate and delete the entry:
OverheadChargeGranularity=1 - In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters - In the right panel, locate and delete the entry:
SmallBufferListDepth=32 - In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters - In the right panel, locate and delete the entry:
SmallerBufferSize=128 - In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters - In the right panel, locate and delete the entry:
TransmitWorker=32 - In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters - In the right panel, locate and delete the entry:
DNSQueryTimeouts={random hex values} - In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters - In the right panel, locate and delete the entry:
DefaultRegistrationTTL=20 - In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters - In the right panel, locate and delete the entry:
DisableReplaceAddressesInConflicts=0 - In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters - In the right panel, locate and delete the entry:
DisableReverseAddressRegistrations=1 - In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters - In the right panel, locate and delete the entry:
UpdateSecurityLevel=0 - In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters - In the right panel, locate and delete the entry:
QueryIpMatching=0 - In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters - In the right panel, locate and delete the entry:
NoNameReleaseOnDemand=1 - In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters - In the right panel, locate and delete the entry:
EnableDeadGWDetect=0 - In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters - In the right panel, locate and delete the entry:
EnableFastRouteLookup=1 - In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters - In the right panel, locate and delete the entry:
MaxFreeTcbs=2000 - In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters - In the right panel, locate and delete the entry:
MaxHashTableSize=2048 - In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters - In the right panel, locate and delete the entry:
SackOpts=1 - In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters - In the right panel, locate and delete the entry:
Tcp1323Opts=3 - In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters - In the right panel, locate and delete the entry:
TcpMaxDupAcks=1 - In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters - In the right panel, locate and delete the entry:
TcpRecvSegmentSize=1413 - In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters - In the right panel, locate and delete the entry:
TcpSendSegmentSize=1413 - In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters - In the right panel, locate and delete the entry:
DefaultTTL=48 - In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters - In the right panel, locate and delete the entry:
TcpMaxHalfOpen=75 - In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters - In the right panel, locate and delete the entry:
TcpMaxHalfOpenRetried=80 - In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters - In the right panel, locate and delete the entry:
MaxNormLookupMemory=200000 - In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters - In the right panel, locate and delete the entry:
FFPControlFlags=1 - In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters - In the right panel, locate and delete the entry:
FFPFastForwardingCacheSize=200000 - In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters - In the right panel, locate and delete the entry:
MaxForwardBufferMemory=105975 - In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters - In the right panel, locate and delete the entry:
MaxFreeTWTcbs=2000 - In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters - In the right panel, locate and delete the entry:
GlobalMaxTcpWindowSize=512512 - In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters - In the right panel, locate and delete the entry:
EnablePMTUDiscovery=1 - In the left panel of the Registry Editor window, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters - In the right panel, locate and delete the entry:
ForwardBufferMemory=105975 - Close Registry Editor.
Step 4
Restore this modified registry value This step allows you to undo a change done by the malware/grayware/spyware to a registry value.
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Services\wscsvc
- From: Start=4
To: Start=2
- From: Start=4
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess
- From: Start=4
To: Start=3
- From: Start=4
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv
- From: Start=4
To: Start=2
- From: Start=4
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
- From: EnableDCOM=N
To: EnableDCOM=Y
- From: EnableDCOM=N
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
- From: restrictanonymous=1
To: restrictanonymous=0
- From: restrictanonymous=1
To restore the registry value this malware/grayware/spyware modified:
- Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
- In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>ControlSet>Services>wscsvc - In the right panel, locate the registry value:
Start=4 - Right-click on the value name and choose Modify. Change the value data of this entry to:
Start=2 - In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>ControlSet>Services>wscsvc - In the right panel, locate the registry value:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>SharedAccess - Right-click on the value name and choose Modify. Change the value data of this entry to:
Start=4Start=3 - In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>ControlSet>Services>wscsvc - In the right panel, locate the registry value:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>wuauserv - Right-click on the value name and choose Modify. Change the value data of this entry to:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>OleEnableDCOM=NEnableDCOM=Y - In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>ControlSet>Services>wscsvc - In the right panel, locate the registry value:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Control>Lsa - Right-click on the value name and choose Modify. Change the value data of this entry to:
restrictanonymous=1restrictanonymous=0 - Close Registry Editor.
Step 5
Scan your computer with your Trend Micro product to delete files detected as WORM_SDBOT.CEM If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Step 6
Download and apply these security patches Refrain from using these products until the appropriate patches have been installed. Trend Micro advises users to download critical patches upon release by vendors. http://www.microsoft.com/technet/security/bulletin/ms03-039.mspx
http://www.microsoft.com/technet/security/bulletin/ms03-026.mspx
http://www.microsoft.com/technet/security/bulletin/ms03-049.mspx
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
http://www.securityfocus.com/bid/1055/solution
Did this description help? Tell us how we did.