Skip to content

Export page to PDF
WORM_SDBOT.UH
Aliases: Backdoor:Win32/Rbot (Microsoft); W32.Spybot.Worm (Symantec); W32/Sdbot.worm.gen (McAfee); W32/Rbot-HQ (Sophos)
Malware type: Worm
Destructive: No
Platform: Windows 2000, Windows XP, Windows Server 2003
Encrypted: No
In the wild: Yes

Overview


Infection Channel: Downloaded from the Internet, Dropped by other malware, Propagates via network shares, Propagates via software vulnerabilities

This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It uses a list of user names to gain access to password-protected shares. It uses a list of passwords to gain access to password-protected shares. It takes advantage of software vulnerabilities to propagate across networks.

It connects to Internet Relay Chat (IRC) servers. It runs certain commands that it receives remotely from a malicious user. Doing this puts the affected computer and information found on the computer at greater risk.

It performs denial of service (DoS) attacks on affected systems using specific flooding method(s).

It steals CD keys, serial numbers, and/or the application product IDs of certain software. tolen information may be used for profit by cybercriminals who may gain access to the information. It uses a sniffer to get passwords from network packets. This action allows this malware to get login passwords for computers connected to the system.

It deletes the initially executed copy of itself.

Technical Details


File size: 151,522 bytes
File type: EXE
Memory resident: Yes
Initial samples received date: 06 Mar 2009
Payload: Steals information, Compromises system security, Launches DoS/DDoS attacks

Arrival Details

This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This worm drops the following copies of itself into the affected system:

  • %System%\WIN32X.EXE

(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.)

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
Microsoft Time Manager = "dveldr.exe"

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\RunServices
Microsoft Time Manager = "dveldr.exe"

Other System Modifications

This worm adds the following registry entries:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Ole
Microsoft Time Manager = "dveldr.exe"

Propagation

This worm drops copies of itself in the following shared folders:

  • ADMIN$\system32
  • C$\Windows\system32
  • C$\WINNT\system32
  • IPC$

It uses the following list of user names to gain access to password-protected shares:

  • {blank}
  • accounting
  • accounts
  • administrador
  • administrat
  • administrateur
  • administrator
  • admins
  • backup
  • blank
  • brian
  • chris
  • cisco
  • compaq
  • computer
  • control
  • database
  • default
  • exchange
  • george
  • guest
  • homeuser
  • internet
  • intranet
  • katie
  • nokia
  • oeminstall
  • oemuser
  • office
  • oracle
  • orainstall
  • outlook
  • owner
  • peter
  • siemens
  • staff
  • student
  • susan
  • teacher
  • technical
  • win2000
  • win2k
  • win98
  • windows
  • winnt
  • winxp
  • wwwadmin

It uses the following list of passwords to gain access to password-protected shares:

  • {blank}
  • 12345
  • 123456
  • 1234567
  • 12345678
  • 123456789
  • 1234567890
  • access
  • bitch
  • changeme
  • databasepass
  • databasepassword
  • db1234
  • dbpass
  • dbpassword
  • domain
  • domainpass
  • domainpassword
  • hello
  • linux
  • login
  • loginpass
  • pass1234
  • passwd
  • password
  • password1
  • qwerty
  • server
  • sqlpassoainstall
  • system
  • winpass

It takes advantage of the following software vulnerabilities to propagate across networks:

Backdoor Routine

This worm connects to any of the following Internet Relay Chat (IRC) servers:

  • irc.{BLOCKED}o.net

It executes the following command(s) from a remote malicious user:

  • Update malware from HTTP and FTP URL
  • Steal CD keys of games
  • Execute a file
  • Download from HTTP and FTP URL
  • Open a command shell
  • Open files
  • Display the driver list
  • Get screen capture
  • Capture pictures and video clips
  • Display netinfo
  • Make a bot join a channel
  • Stop and start a thread
  • List all running process
  • Rename a file
  • Generate a random nickname
  • Perform different kinds of distributed denial of service (DDoS) attacks
  • Retrieve and clear log files
  • Terminate the bot
  • Disconnect the bot from IRC
  • Send a message to the IRC server
  • Let the bot perform mode change
  • Change BOT ID
  • Display connection type, local IP address, and other net information
  • Log in and log out the user
  • Issue Ping attack on to a target computer
  • Display system information such as CPU speed, Amount of memory, Windows platform, build version and product ID, Malware uptime, User name

Denial of Service (DoS) Attack

This worm performs denial of service (DoS) attacks on affected systems using the following flooding method(s):

  • HTTP
  • ICMP
  • SYN
  • UDP

Information Theft

This worm steals CD keys, serial numbers, and/or the application product IDs of certain software.

It launches a carnivore sniffer to retrieve passwords from network packets using certain strings.

Other Details

This worm deletes the initially executed copy of itself

NOTES:

This worm creates several threads to be used for its sniffing, keylogging, and other backdoor capabilities. It also makes the infected system a TFTP server that attempts to send this worm to other systems as the file BLING.EXE.

It spreads via network shares, using NetBEUI functions to get available lists of user names and passwords.

It uses carnivore network sniffer and checks for the following strings for its information theft routine:

  • : auth
  • : login
  • :!auth
  • :!hashin
  • :!login
  • :!secure
  • :!syn
  • :$auth
  • :$hashin
  • :$login
  • :$syn
  • :%auth
  • :%hashin
  • :%login
  • :%syn
  • :&auth
  • :&login
  • :'auth
  • :'login
  • :*auth
  • :*login
  • :+auth
  • :+login
  • :,auth
  • :,login
  • :-auth
  • :-login
  • :.auth
  • :.hashin
  • :.login
  • :.secure
  • :.syn
  • :/auth
  • :/login
  • :=auth
  • :=login
  • :?auth
  • :?login
  • :@auth
  • :@login
  • :\auth
  • :\login
  • :~auth
  • :~login
  • login
  • PAYPAL
  • PAYPAL.COM

It attempts to steal the Windows product ID and the CD keys of the following games:

  • Battlefield 1942
  • Battlefield 1942 (Road To Rome)
  • Battlefield 1942 (Secret Weapons of WWII)
  • Battlefield Vietnam
  • Black and White
  • Chrome
  • Command and Conquer: Generals
  • Command and Conquer: Generals (Zero Hour)
  • Command and Conquer: Red Alert
  • Command and Conquer: Red Alert 2
  • Command and Conquer: Tiberian Sun
  • Counter-Strike (Retail)
  • FIFA 2002
  • FIFA 2003
  • Freedom Force
  • Global Operations
  • Gunman Chronicles
  • Half-Life
  • Hidden & Dangerous 2
  • IGI 2: Covert Strike
  • Industry Giant 2
  • James Bond 007: Nightfire
  • Legends of Might and Magic
  • Medal of Honor: Allied Assault
  • Medal of Honor: Allied Assault: Breakthrough
  • Medal of Honor: Allied Assault: Spearhead
  • Nascar Racing 2002
  • Nascar Racing 2003
  • Need For Speed Hot Pursuit 2
  • Need For Speed: Underground
  • Neverwinter Nights
  • Neverwinter Nights (Hordes of the Underdark)
  • Neverwinter Nights (Shadows of Undrentide)
  • NHL 2002
  • NHL 2003
  • NOX
  • Rainbow Six III RavenShield
  • Shogun: Total War: Warlord Edition
  • Soldier of Fortune II - Double Helix
  • Soldiers of Anarchy
  • The Gladiators
  • Unreal Tournament 2003
  • Unreal Tournament 2004

A remote malicious user can issue commands to allow logging keystrokes.

Solution


Minimum scan engine: 9.200
VSAPI OPR Pattern Version: 5.883.00
VSAPI OPR Pattern Release Date: 06 Mar 2009

Step 1

Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.

Step 2

Identify and terminate files detected as WORM_SDBOT.UH

[ Learn more ]
  1. Windows Task Manager may not display all running processes. In this case, please use a third-party process viewer, preferably Process Explorer, to terminate the malware/grayware/spyware file. You may download the said tool here.
  2. If the detected file is displayed in either Windows Task Manager or Process Explorer but you cannot delete it, restart your computer in safe mode. To do this, refer to this link for the complete steps.
  3. If the detected file is not displayed in either Windows Task Manager or Process Explorer, continue doing the next steps.

Step 3

Delete this registry value

[ Learn more ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.


  • In HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    • Microsoft Time Manager = "dveldr.exe"
  • In HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
    • Microsoft Time Manager = "dveldr.exe"
  • In HKEY_LOCAL_MACHINE\Software\Microsoft\Ole
    • Microsoft Time Manager = "dveldr.exe"

Step 4

Scan your computer with your Trend Micro product to delete files detected as WORM_SDBOT.UH. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

Step 5

Download and apply these security patches Refrain from using these products until the appropriate patches have been installed. Trend Micro advises users to download critical patches upon release by vendors.
 

  • http://technet.microsoft.com/en-us/security/bulletin/ms03-026
  • http://technet.microsoft.com/en-us/security/bulletin/ms02-061
  • http://technet.microsoft.com/en-us/security/bulletin/ms03-007
  • http://technet.microsoft.com/en-us/security/bulletin/ms04-011


Did this description help? Tell us how we did.
Analysis By: Kathleen Notario

Connect with us on