Skip to content
1-888-762-8736(M-F 8:00am-5:00pm CST)
1-877-218-7353(M-F 8:00am-5:00pm CST)
href="http://www.trendmicro.com/us/enterprise/index.html" id="ENT-overview-test2" title="SEE ALL ENTERPRISE SOLUTIONS">Enterprise Overview
This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It uses a list of user names to gain access to password-protected shares. It uses a list of passwords to gain access to password-protected shares. It takes advantage of software vulnerabilities to propagate across networks.
It connects to Internet Relay Chat (IRC) servers. It runs certain commands that it receives remotely from a malicious user. Doing this puts the affected computer and information found on the computer at greater risk.
It performs denial of service (DoS) attacks on affected systems using specific flooding method(s).
It steals CD keys, serial numbers, and/or the application product IDs of certain software. tolen information may be used for profit by cybercriminals who may gain access to the information. It uses a sniffer to get passwords from network packets. This action allows this malware to get login passwords for computers connected to the system.
It deletes the initially executed copy of itself.
This worm drops the following copies of itself into the affected system:
(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.)
This worm adds the following registry entries to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunMicrosoft Time Manager = "dveldr.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesMicrosoft Time Manager = "dveldr.exe"
Other System Modifications
This worm adds the following registry entries:
HKEY_LOCAL_MACHINE\Software\Microsoft\OleMicrosoft Time Manager = "dveldr.exe"
This worm drops copies of itself in the following shared folders:
It uses the following list of user names to gain access to password-protected shares:
It uses the following list of passwords to gain access to password-protected shares:
It takes advantage of the following software vulnerabilities to propagate across networks:
This worm connects to any of the following Internet Relay Chat (IRC) servers:
It executes the following command(s) from a remote malicious user:
Denial of Service (DoS) Attack
This worm performs denial of service (DoS) attacks on affected systems using the following flooding method(s):
This worm steals CD keys, serial numbers, and/or the application product IDs of certain software.
It launches a carnivore sniffer to retrieve passwords from network packets using certain strings.
This worm deletes the initially executed copy of itself
This worm creates several threads to be used for its sniffing, keylogging, and other backdoor capabilities. It also makes the infected system a TFTP server that attempts to send this worm to other systems as the file BLING.EXE.
It spreads via network shares, using NetBEUI functions to get available lists of user names and passwords.
It uses carnivore network sniffer and checks for the following strings for its information theft routine:
It attempts to steal the Windows product ID and the CD keys of the following games:
A remote malicious user can issue commands to allow logging keystrokes.
Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.
Identify and terminate files detected as WORM_SDBOT.UH
To terminate the malware/grayware/spyware process:
Delete this registry value
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
To delete the registry value this malware created:
Scan your computer with your Trend Micro product to delete files detected as WORM_SDBOT.UH. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Download and apply these security patches Refrain from using these products until the appropriate patches have been installed. Trend Micro advises users to download critical patches upon release by vendors.
Connect with us on
| | | |