W32/Sdbot-WH

Please follow the instructions for removing worms.

Replace the Hosts file from a backup or edit it in Notepad to remove the changes that the worm made.

You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

and remove any reference to any file you deleted.

Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entries

HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\Run\

HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\RunServices\

and remove any reference to any file you deleted.

Close the registry editor.

Check the following items

• To renable DCOM you can edit the registry, but it's better to use Dcomcnfg.exe. See Microsoft article 825750 for details.
• The HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous = "1" setting does not allow enumeration of SAM accounts and names. The default is "0". It can be changed in Local Security Policy. See Microsoft article 246261 for details.
• Check your administrator passwords and review network security.

W32/Sdbot-WH is a member of the W32/Sdbot family of network worms. The worm can spread to weakly protected network shares, weakly protected MS SQL servers, and to computers vulnerable to the RPC-DCOM and LSASS exploits.

In order to run automatically when Windows starts up the worm copies itself to the windows system folder as hpsebc08.exe and creates the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
IPOT USB Service DRV32
hpsebc08.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
IPOT USB Service DRV32
hpsebc08.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
IPOT USB Service DRV32
hpsebc08.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
IPOT USB Service DRV32
hpsebc08.exe

Once installed, W32/Sdbot-WH connects to a preconfigured IRC server and joins a channel from which an attacker can issue further commands. These commands can cause the infected computer to perform any of the following actions:

Modify the HOSTS file to deny access to computer security websites
Scan for remote computers to spread to
Participate in a distributed denial-of-service (DDoS) attack
Attempt to terminate any security software on an infected computer
List and terminate processes
Upload, download, and execute files
Create and delete network shares
Examine local network traffic

When the HOSTS file (located in '<Windows system folder>\drivers\etc\') is modified, entries are created for the major computer security websites that redirect attempted access to those sites to the IP address 127.0.0.1.

The worm automatically disables DCOM and restricts anonymous access to the IPC$ share by setting the following registry entries:

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1

The worm tries to disable Windows Automatic Updates and Windows Firewall/Internet Connection Sharing by attempting to set the following registry entries:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Start
4

W32/Sdbot-WH also drops a file named msdirectx.sys in the folder it was originally run from. This file is detected as Troj/NtRootK-F, and is used to help hide the worm on an infected system. Registry entries in order to load this component are create under:

HKLM\SYSTEM\CurrentControlSet\Services
msdirectx