PLATFORM:

Windows 2000, XP, Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Worm

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW



It may be unknowingly downloaded by a user while visiting malicious websites.
It may be dropped by other malware.
It adds registry entries to enable its automatic execution at every system startup.
It connects to Internet Relay Check (IRC) servers.
It propagates via shared networks and drops copies of itself into available networks.
It uses a sniffer to get passwords from network packets. This action allows this malware to get login passwords for computers connected to the system.
It logs a user's keystrokes to steal information.
It steals CD keys, serial numbers, and/or the application product IDs of certain software. tolen information may be used for profit by cybercriminals who may gain access to the information.
It deletes itself after execution.
It bypasses the Windows firewall. This allows the malware to perform its intended routine without being detected by an installed firewall.
It exploits software vulnerabilities to propagate to other computers across a network.

  TECHNICAL DETAILS

Initial Samples Received Date: 01 Jan 0001



Arrival Details


It may be unknowingly downloaded by a user while visiting malicious websites.


It may be dropped by other malware.



Autostart Technique


It adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Update='host.exe'



HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Windows Update='host.exe'



HKEY_CURRENT_USER\Software\Microsoft\OLE
Windows Update='host.exe'



Backdoor Routine


It connects to any of the following Internet Relay Chat (IRC) servers:

  • blah.swapixtreme.com:7878


It joins any of the following IRC channel(s):

  • #b



File Infection


It propagates via shared networks and drops copies of itself into available networks.



Information Theft


It launches a carnivore sniffer to retrieve passwords from network packets using certain strings.


It logs a user's keystrokes to steal information.


It steals CD keys, serial numbers, and/or the application product IDs of certain software.



Installation


It drops the following copies of itself into the affected system:

  • %System%\host.exe


It deletes itself after execution.



Other Details


More information on this vulnerability can be found below:

  • http://www.microsoft.com/technet/security/bulletin/ms03-039.mspx

  • http://www.microsoft.com/technet/security/bulletin/ms03-026.mspx

  • http://www.microsoft.com/technet/security/bulletin/ms03-049.mspx

  • http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx

  • http://www.securityfocus.com/bid/1055/solution



Other System Modifications


It adds the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MaxConnectionsPer1_0Server=80



HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MaxConnectionsPerServer=80



HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
EnableRemoteConnect='N'



HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT1.0\Server
Enabled=0



HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareWks=0



HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
AutoShareServer=0



HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
TCP1320Opts=3



HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
KeepAliveTime=144000



HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
BcastQueryTimeout=750



HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
BcastNameQueryCount=1



HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
CacheTimeout=60000



HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Size/Small/Medium/Large=3



HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
LargeBufferSize=4096



HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
SynAckProtect=2



HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
PerformRouterDiscovery=0



HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
EnablePMTUBHDetect=0



HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
FastSendDatagramThreshold=1024



HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
StandardAddressLength=24



HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
DefaultReceiveWindow=16384



HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
DefaultSendWindow=16384



HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
BufferMultiplier=512



HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
PriorityBoost=2



HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
IrpStackSize=4



HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
IgnorePushBitOnReceives=0



HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
DisableAddressSharing=0



HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
AllowUserRawAccess=0



HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
DisableRawSecurity=0



HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
DynamicBacklogGrowthDelta=50



HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
FastCopyReceiveThreshold=1024



HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
LargeBufferListDepth=10



HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
MaxActiveTransmitFileCount=2



HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
MaxFastTransmit=64



HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
OverheadChargeGranularity=1



HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
SmallBufferListDepth=32



HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
SmallerBufferSize=128



HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
TransmitWorker=32



HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
DNSQueryTimeouts={random hex values}



HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
DefaultRegistrationTTL=20



HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
DisableReplaceAddressesInConflicts=0



HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
DisableReverseAddressRegistrations=1



HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
UpdateSecurityLevel=0



HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
QueryIpMatching=0



HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
NoNameReleaseOnDemand=1



HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
EnableDeadGWDetect=0



HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
EnableFastRouteLookup=1



HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
MaxFreeTcbs=2000



HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
MaxHashTableSize=2048



HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
SackOpts=1



HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Tcp1323Opts=3



HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
TcpMaxDupAcks=1



HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
TcpRecvSegmentSize=1413



HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
TcpSendSegmentSize=1413



HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
DefaultTTL=48



HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
TcpMaxHalfOpen=75



HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
TcpMaxHalfOpenRetried=80



HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
MaxNormLookupMemory=200000



HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
FFPControlFlags=1



HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
FFPFastForwardingCacheSize=200000



HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
MaxForwardBufferMemory=105975



HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
MaxFreeTWTcbs=2000



HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
GlobalMaxTcpWindowSize=512512



HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
EnablePMTUDiscovery=1



HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
ForwardBufferMemory=105975


It modifies the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Services\wscsvc
Start=4

             (Note: The default value data of the said registry entry is 2.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess
Start=4

             (Note: The default value data of the said registry entry is 3.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv
Start=4

             (Note: The default value data of the said registry entry is 2.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
EnableDCOM='N'

             (Note: The default value data of the said registry entry is 'Y'.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous=1

             (Note: The default value data of the said registry entry is 0.)


It modifies the following registry entries to disable the Windows Firewall settings:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
%System%\host.exe='%system\host.exe:*:Enabled:host%'



Propagation


It exploits the following software vulnerabilities to propagate to other computers across a network:

  • Buffer Overrun In RPCSS Service Could Allow Code Execution (MS03-039)

  • Buffer Overrun In RPC Interface Could Allow Code Execution (MS03-026)

  • Buffer Overrun in the Workstation Service Could Allow Code Execution (MS03-049)

  • MS04-011

  • SQL Weak Password Exploit (CVE-2000-0199)

  SOLUTION

Minimum Scan Engine: 8.900


Step 1
For Windows ME and XP users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.

Step 2
Terminate this process
[ Learn More ]

  1. For Windows 98 and ME users, the Windows Task Manager may not display all running processes. In this case, please use a third-party process viewer, preferably Process Explorer, to terminate the malware/grayware/spyware file. You may download the said tool here.
  2. If the detected file is displayed in either Windows Task Manager or Process Explorer but you cannot delete it, restart your computer in safe mode. To do this, refer to this link for the complete steps.
  3. If the detected file is not displayed in either Windows Task Manager or Process Explorer, continue doing the next steps.


Step 3
Delete this registry value This step allows you to delete the registry value created by the malware.

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • Windows Update=host.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
    • Windows Update=host.exe
  • In HKEY_CURRENT_USER\Software\Microsoft\OLE
    • Windows Update=host.exe
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    • MaxConnectionsPer1_0Server=80
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    • MaxConnectionsPerServer=80
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
    • EnableRemoteConnect=N
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT1.0\Server
    • Enabled=0
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
    • AutoShareWks=0
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
    • AutoShareServer=0
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    • TCP1320Opts=3
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    • KeepAliveTime=144000
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    • BcastQueryTimeout=750
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    • BcastNameQueryCount=1
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    • CacheTimeout=60000
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    • Size/Small/Medium/Large=3
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    • LargeBufferSize=4096
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    • SynAckProtect=2
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    • PerformRouterDiscovery=0
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    • EnablePMTUBHDetect=0
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    • FastSendDatagramThreshold=1024
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    • StandardAddressLength=24
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    • DefaultReceiveWindow=16384
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    • DefaultSendWindow=16384
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    • BufferMultiplier=512
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    • PriorityBoost=2
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    • IrpStackSize=4
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    • IgnorePushBitOnReceives=0
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    • DisableAddressSharing=0
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    • AllowUserRawAccess=0
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    • DisableRawSecurity=0
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    • DynamicBacklogGrowthDelta=50
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    • FastCopyReceiveThreshold=1024
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    • LargeBufferListDepth=10
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    • MaxActiveTransmitFileCount=2
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    • MaxFastTransmit=64
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    • OverheadChargeGranularity=1
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    • SmallBufferListDepth=32
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    • SmallerBufferSize=128
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    • TransmitWorker=32
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    • DNSQueryTimeouts={random hex values}
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    • DefaultRegistrationTTL=20
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    • DisableReplaceAddressesInConflicts=0
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    • DisableReverseAddressRegistrations=1
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    • UpdateSecurityLevel=0
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    • QueryIpMatching=0
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    • NoNameReleaseOnDemand=1
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    • EnableDeadGWDetect=0
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    • EnableFastRouteLookup=1
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    • MaxFreeTcbs=2000
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    • MaxHashTableSize=2048
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    • SackOpts=1
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    • Tcp1323Opts=3
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    • TcpMaxDupAcks=1
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    • TcpRecvSegmentSize=1413
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    • TcpSendSegmentSize=1413
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    • DefaultTTL=48
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    • TcpMaxHalfOpen=75
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    • TcpMaxHalfOpenRetried=80
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    • MaxNormLookupMemory=200000
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    • FFPControlFlags=1
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    • FFPFastForwardingCacheSize=200000
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    • MaxForwardBufferMemory=105975
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    • MaxFreeTWTcbs=2000
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    • GlobalMaxTcpWindowSize=512512
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    • EnablePMTUDiscovery=1
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    • ForwardBufferMemory=105975

To delete the registry value this malware created:

  1. Open Registry Editor. To do this, click Start>Run, type regedit in the text box provided, then press Enter.
  2. In the left panel of the Registry Editor window, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows>CurrentVersion>Run
  3. In the right panel, locate and delete the entry:
    Windows Update=host.exe
  4. In the left panel of the Registry Editor window, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows>CurrentVersion>RunServices
  5. In the right panel, locate and delete the entry:
    Windows Update=host.exe
  6. In the left panel of the Registry Editor window, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>OLE
  7. In the right panel, locate and delete the entry:
    Windows Update=host.exe
  8. In the left panel of the Registry Editor window, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>Windows>CurrentVersion>Internet Settings
  9. In the right panel, locate and delete the entry:
    MaxConnectionsPer1_0Server=80
  10. In the left panel of the Registry Editor window, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>Windows>CurrentVersion>Internet Settings
  11. In the right panel, locate and delete the entry:
    MaxConnectionsPerServer=80
  12. In the left panel of the Registry Editor window, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Ole
  13. In the right panel, locate and delete the entry:
    EnableRemoteConnect=N
  14. In the left panel of the Registry Editor window, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Control>SecurityProviders>SCHANNEL>Protocols>PCT1.0>Server
  15. In the right panel, locate and delete the entry:
    Enabled=0
  16. In the left panel of the Registry Editor window, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>lanmanserver>parameters
  17. In the right panel, locate and delete the entry:
    AutoShareWks=0
  18. In the left panel of the Registry Editor window, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>lanmanserver>parameters
  19. In the right panel, locate and delete the entry:
    AutoShareServer=0
  20. In the left panel of the Registry Editor window, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
  21. In the right panel, locate and delete the entry:
    TCP1320Opts=3
  22. In the left panel of the Registry Editor window, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
  23. In the right panel, locate and delete the entry:
    KeepAliveTime=144000
  24. In the left panel of the Registry Editor window, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
  25. In the right panel, locate and delete the entry:
    BcastQueryTimeout=750
  26. In the left panel of the Registry Editor window, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
  27. In the right panel, locate and delete the entry:
    BcastNameQueryCount=1
  28. In the left panel of the Registry Editor window, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
  29. In the right panel, locate and delete the entry:
    CacheTimeout=60000
  30. In the left panel of the Registry Editor window, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
  31. In the right panel, locate and delete the entry:
    Size/Small/Medium/Large=3
  32. In the left panel of the Registry Editor window, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
  33. In the right panel, locate and delete the entry:
    LargeBufferSize=4096
  34. In the left panel of the Registry Editor window, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
  35. In the right panel, locate and delete the entry:
    SynAckProtect=2
  36. In the left panel of the Registry Editor window, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
  37. In the right panel, locate and delete the entry:
    PerformRouterDiscovery=0
  38. In the left panel of the Registry Editor window, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
  39. In the right panel, locate and delete the entry:
    EnablePMTUBHDetect=0
  40. In the left panel of the Registry Editor window, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
  41. In the right panel, locate and delete the entry:
    FastSendDatagramThreshold=1024
  42. In the left panel of the Registry Editor window, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
  43. In the right panel, locate and delete the entry:
    StandardAddressLength=24
  44. In the left panel of the Registry Editor window, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
  45. In the right panel, locate and delete the entry:
    DefaultReceiveWindow=16384
  46. In the left panel of the Registry Editor window, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
  47. In the right panel, locate and delete the entry:
    DefaultSendWindow=16384
  48. In the left panel of the Registry Editor window, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
  49. In the right panel, locate and delete the entry:
    BufferMultiplier=512
  50. In the left panel of the Registry Editor window, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
  51. In the right panel, locate and delete the entry:
    PriorityBoost=2
  52. In the left panel of the Registry Editor window, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
  53. In the right panel, locate and delete the entry:
    IrpStackSize=4
  54. In the left panel of the Registry Editor window, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
  55. In the right panel, locate and delete the entry:
    IgnorePushBitOnReceives=0
  56. In the left panel of the Registry Editor window, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
  57. In the right panel, locate and delete the entry:
    DisableAddressSharing=0
  58. In the left panel of the Registry Editor window, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
  59. In the right panel, locate and delete the entry:
    AllowUserRawAccess=0
  60. In the left panel of the Registry Editor window, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
  61. In the right panel, locate and delete the entry:
    DisableRawSecurity=0
  62. In the left panel of the Registry Editor window, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
  63. In the right panel, locate and delete the entry:
    DynamicBacklogGrowthDelta=50
  64. In the left panel of the Registry Editor window, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
  65. In the right panel, locate and delete the entry:
    FastCopyReceiveThreshold=1024
  66. In the left panel of the Registry Editor window, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
  67. In the right panel, locate and delete the entry:
    LargeBufferListDepth=10
  68. In the left panel of the Registry Editor window, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
  69. In the right panel, locate and delete the entry:
    MaxActiveTransmitFileCount=2
  70. In the left panel of the Registry Editor window, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
  71. In the right panel, locate and delete the entry:
    MaxFastTransmit=64
  72. In the left panel of the Registry Editor window, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
  73. In the right panel, locate and delete the entry:
    OverheadChargeGranularity=1
  74. In the left panel of the Registry Editor window, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
  75. In the right panel, locate and delete the entry:
    SmallBufferListDepth=32
  76. In the left panel of the Registry Editor window, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
  77. In the right panel, locate and delete the entry:
    SmallerBufferSize=128
  78. In the left panel of the Registry Editor window, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
  79. In the right panel, locate and delete the entry:
    TransmitWorker=32
  80. In the left panel of the Registry Editor window, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
  81. In the right panel, locate and delete the entry:
    DNSQueryTimeouts={random hex values}
  82. In the left panel of the Registry Editor window, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
  83. In the right panel, locate and delete the entry:
    DefaultRegistrationTTL=20
  84. In the left panel of the Registry Editor window, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
  85. In the right panel, locate and delete the entry:
    DisableReplaceAddressesInConflicts=0
  86. In the left panel of the Registry Editor window, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
  87. In the right panel, locate and delete the entry:
    DisableReverseAddressRegistrations=1
  88. In the left panel of the Registry Editor window, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
  89. In the right panel, locate and delete the entry:
    UpdateSecurityLevel=0
  90. In the left panel of the Registry Editor window, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
  91. In the right panel, locate and delete the entry:
    QueryIpMatching=0
  92. In the left panel of the Registry Editor window, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
  93. In the right panel, locate and delete the entry:
    NoNameReleaseOnDemand=1
  94. In the left panel of the Registry Editor window, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
  95. In the right panel, locate and delete the entry:
    EnableDeadGWDetect=0
  96. In the left panel of the Registry Editor window, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
  97. In the right panel, locate and delete the entry:
    EnableFastRouteLookup=1
  98. In the left panel of the Registry Editor window, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
  99. In the right panel, locate and delete the entry:
    MaxFreeTcbs=2000
  100. In the left panel of the Registry Editor window, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
  101. In the right panel, locate and delete the entry:
    MaxHashTableSize=2048
  102. In the left panel of the Registry Editor window, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
  103. In the right panel, locate and delete the entry:
    SackOpts=1
  104. In the left panel of the Registry Editor window, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
  105. In the right panel, locate and delete the entry:
    Tcp1323Opts=3
  106. In the left panel of the Registry Editor window, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
  107. In the right panel, locate and delete the entry:
    TcpMaxDupAcks=1
  108. In the left panel of the Registry Editor window, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
  109. In the right panel, locate and delete the entry:
    TcpRecvSegmentSize=1413
  110. In the left panel of the Registry Editor window, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
  111. In the right panel, locate and delete the entry:
    TcpSendSegmentSize=1413
  112. In the left panel of the Registry Editor window, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
  113. In the right panel, locate and delete the entry:
    DefaultTTL=48
  114. In the left panel of the Registry Editor window, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
  115. In the right panel, locate and delete the entry:
    TcpMaxHalfOpen=75
  116. In the left panel of the Registry Editor window, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
  117. In the right panel, locate and delete the entry:
    TcpMaxHalfOpenRetried=80
  118. In the left panel of the Registry Editor window, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
  119. In the right panel, locate and delete the entry:
    MaxNormLookupMemory=200000
  120. In the left panel of the Registry Editor window, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
  121. In the right panel, locate and delete the entry:
    FFPControlFlags=1
  122. In the left panel of the Registry Editor window, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
  123. In the right panel, locate and delete the entry:
    FFPFastForwardingCacheSize=200000
  124. In the left panel of the Registry Editor window, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
  125. In the right panel, locate and delete the entry:
    MaxForwardBufferMemory=105975
  126. In the left panel of the Registry Editor window, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
  127. In the right panel, locate and delete the entry:
    MaxFreeTWTcbs=2000
  128. In the left panel of the Registry Editor window, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
  129. In the right panel, locate and delete the entry:
    GlobalMaxTcpWindowSize=512512
  130. In the left panel of the Registry Editor window, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
  131. In the right panel, locate and delete the entry:
    EnablePMTUDiscovery=1
  132. In the left panel of the Registry Editor window, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>Tcpip>Parameters
  133. In the right panel, locate and delete the entry:
    ForwardBufferMemory=105975
  134. Close Registry Editor.

Step 4
Restore this modified registry value This step allows you to undo a change done by the malware/grayware/spyware to a registry value.

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Services\wscsvc
    • From: Start=4
      To: Start=2
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess
    • From: Start=4
      To: Start=3
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv
    • From: Start=4
      To: Start=2
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
    • From: EnableDCOM=N
      To: EnableDCOM=Y
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
    • From: restrictanonymous=1
      To: restrictanonymous=0

To restore the registry value this malware/grayware/spyware modified:

  1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>ControlSet>Services>wscsvc
  3. In the right panel, locate the registry value:
    Start=4
  4. Right-click on the value name and choose Modify. Change the value data of this entry to:
    Start=2
  5. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>ControlSet>Services>wscsvc
  6. In the right panel, locate the registry value:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>SharedAccess
  7. Right-click on the value name and choose Modify. Change the value data of this entry to:
    Start=4Start=3
  8. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>ControlSet>Services>wscsvc
  9. In the right panel, locate the registry value:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>wuauserv
  10. Right-click on the value name and choose Modify. Change the value data of this entry to:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>OleEnableDCOM=NEnableDCOM=Y
  11. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>ControlSet>Services>wscsvc
  12. In the right panel, locate the registry value:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Control>Lsa
  13. Right-click on the value name and choose Modify. Change the value data of this entry to:
    restrictanonymous=1restrictanonymous=0
  14. Close Registry Editor.

Step 5
Scan your computer with your Trend Micro product to delete files detected as WORM_SDBOT.CEM If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

Step 6
Download and apply these security patches Refrain from using these products until the appropriate patches have been installed. Trend Micro advises users to download critical patches upon release by vendors. http://www.microsoft.com/technet/security/bulletin/ms03-039.mspx
http://www.microsoft.com/technet/security/bulletin/ms03-026.mspx
http://www.microsoft.com/technet/security/bulletin/ms03-049.mspx
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
http://www.securityfocus.com/bid/1055/solution

Did this description help? Tell us how we did.