WORM_SDBOT.VQ is a memory-resident worm that spreads via network shares, and exploits specific vulnerabilities to propogate across networks. It also gathers available lists of names and passwords, and uses this gathered information to locate and list shared folders where it drops a copy of itself. This worm has backdoor capabilities and attempts to connect to an Internet Relay Chat (IRC) server to allow a remote user to access the infected system and perform malicious commands. WORM_SDBOT.VQ runs on Windows NT, 2000, and XP. Upon execution, this memory-resident worm drops a copy of itself in the Windows System directory as EXPLORER32.EXE. It adds registry entries to enable this dropped copy to run at every Windows startup. It then creates several threads to be used for sniffing, keylogging, and other backdoor capabilities. It also attempts to send copies of itself to other systems as BLING.EXE. This worm spreads via network shares. It gathers available lists of names and passwords, and uses this gathered information to locate and list shared folders where it drops a copy of itself. It then attempts to access systems with weak passwords to drop a copy of itself. You may view the list of usernames and passwords in the Technical Details section of this virus description. This worm takes advantage of the following Windows vulnerabilities: IIS5/WEBDAV Buffer Overflow vulnerability; Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) vulnerability; Buffer Overflow in SQL Server 2000; Windows LSASS Vulnerability. This worm attempts to connect to the Internet Relay Chat (IRC) server, irc.t3musso.net, which allows a remote user to access the infected system and perform the following commands: Update malware from HTTP and FTP URL; Steal CD keys of game applications; Execute a file Download from HTTP and FTP URL; Open a command shell; Open files; Display the driver list; Get screen capture; Capture pictures and video clips; Display netinfo; Make a bot join a channel; Stop and start a thread; List all running process; Rename a file; Generate a random nickname; Perform different kinds of ddos attacks; Retrieve and clear log files; Terminate the bot; Disconnect the bot from IRC; Send a message to the IRC server; Let the bot perform mode change; Change BOT ID; Display connection type, local IP address and other net information; Log in and log out the user; Issue ping attack on to a target computer; Display the following system information -- CPU speed; Amount of Memory; Windows platform, build version, and product ID; Malware uptime; User name It also checks for the following strings, and then attempts to steal Windows product ID and CD keys for several game applications: :.login, :,login, :!login, login, :$login, :%login, login, :&login, :*login, :-login, :+login, :/login, :\login, :=login, :?login, :'login login, :~login, : login, :.auth, :,auth, :!auth, auth, :$auth, :%auth, :&auth, :*auth, :-auth, :+auth, :/auth, :\auth, :=auth, :?auth, :'auth, :~auth, :_auth, :.hashin, :!hashin, :$hashin, :%hashin, :.secure, :!secure, :.syn, :!syn, :$syn, :%syn, paypal, PAYPAL, paypal.com, PAYPAL.COM The remote malicious user can also issue commands to allow the bot to log user keystrokes. If you would like to scan your computer for WORM_SDBOT.VQ or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com WORM_SDBOT.VQ is detected and cleaned by Trend Micro pattern file 2.175.13 and above.