Need help? Ask the community or hire an expert.
Go to Avira Answers
Alias:WORM_SDBOT.UH
Type:Worm 
Size:151,552 Bytes 
Origin: 
Date:09-14-2004 
Damage:It steals CD keys and passwords. PC remote control. 
VDF Version:6.27.0.47 
Danger:Medium 
Distribution:Medium 

General DescriptionAffected operating systems:
Windows 2000, Windows XP

DistributionThe worm spreads over the following SMB shares:
c$\windows\system32
c$\winnt\system32
Admin$\system32
ipc$

Then, it tries to gain access using the following usernames:
admins
administrat
administrateur
administrador
administrato

And combines them with the following passwords:
007
1
12
123
1234
12345
123456
1234567
12345678
123456789
1234567890
2000
2001
2002
2003
2004
access
accounting
accounts
adm
asd
backup
bill
bitch
blank
bob
brian
changeme
chris
cisco
compaq
computer
control
data
database
databasepass
databasepassword
db1
db1234
db2
dba
dbpass
dbpassword
default
dell
demo
domain
domainpass
domainpassword
eric
exchange
fred
fuck
george
god
guest
hell
hello
home
homeuse
hp
ian
ibm
internet
intranet
jen
joe
john
kate
katie
lan
lee
linux
login
loginpass
luke
mail
main
mary
mike
neil
nokia
none
null
oeminstall
oemuser
office
oracle
orainstall
outlook
owner
pass
pass1234
passwd
password
password1
peter
pwd
qaz
qwe
qwerty
sam
server
sex
siemens
slut
sql
sqlpassoainstall
staff
student
sue
susan
system
teacher
technical
test
unix
web
win2000
win2k
win98
windows
winnt
winpass
winxp
www
wwwadmin
xp
zxc

Besides that the worm tries to open a remote shell on a victims computer using several exploits. The worm creates a batch file that causes the victim to download a copy of the file using the windows "ftp.exe" program. This batch file also executes the worm.

Technical DetailsThe worm makes a copy of itself in %system% directory, named "dveldr.exe". After it is started, the file is immediately deleted.

For automatic start, the worm makes the following registry entries:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Time Manager"="dveldr.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Microsoft Time Manager"="dveldr.exe"

[HKEY_CURRENT_USER\Software\Microsoft\OLE]
"Microsoft Time Manager"="dveldr.exe"

Then, the worm tries to log to an IRC channel on the "lol.kessef.org" server. At the moment of this analysis, it was no longer available.

The following CD keys were stolen:
Battlefield 1942
Battlefield 1942 (Road To Rome)
Battlefield 1942 (Secret Weapons of WWII)
Battlefield Vietnam
Black and White
Chrome
Command and Conquer: Generals
Command and Conquer: Generals (Zero Hour)
Command and Conquer: Red Alert
Command and Conquer: Red Alert 2
Command and Conquer: Tiberian Sun
Counter-Strike (Retail)
FIFA 2002
FIFA 2003
Freedom Force
Global Operations
Gunman Chronicles
Half-Life
Hidden & Dangerous 2
IGI 2: Covert Strike
Industry Giant 2
James Bond 007: Nightfire
Legends of Might and Magic
Medal of Honor: Allied Assault
Medal of Honor: Allied Assault: Breakthroug
Medal of Honor: Allied Assault: Spearhead
Microsoft Windows Product ID
Nascar Racing 2002
Nascar Racing 2003
Need For Speed
Need For Speed Hot Pursuit 2
Neverwinter Nights
Neverwinter Nights (Hordes of the Underdark)
Neverwinter Nights (Shadows of Undrentide)
NHL 2002
NHL 2003
NOX
Rainbow Six III RavenShield
Shogun
Soldier of Fortune II - Double Helix
Soldiers Of Anarchy
The Gladiators
Total War
Unreal Tournament 2003
Unreal Tournament 2004

This new version is provided with a network sniffer, which looks for the following strings:
.login
,login
!login
@login
$login
%login
^login
&login
*login
-login
+login
/login
\login
=login
?login
'login
`login
~login
login
.auth
,auth
!auth
@auth
$auth
%auth
^auth
&auth
*auth
-auth
+auth
/auth
\auth
=auth
?auth
'auth
`auth
~auth
auth
.id
,id
!id
@id
$id
%id
^id
&id
*id
-id
+id
/id
\id
=id
?id
'id
`id
~id
id
.hashin
!hashin
$hashin
%hashin
.secure
!secure
.l
!l
$l
%l
.x
!x
$x
%x
.syn
!syn
$syn
%syn
paypal
PAYPAL
paypal.com
PAYPAL.COM
Description inserted by Crony Walker on Tuesday, June 15, 2004

Back . . . .