• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

Kudos0

Questions about "Backdoor.Sdbot"

One of the other posters had a similar problem, but I'm looking to see if some experts can shed some light on my experience:

I ran a full system scan on 18 SEP 08.  The scan detected three files infected with the Backdoor.Sdbot virus.  (The latest DAT was 29 AUG 08 with the 17 SEP 08 Rapid update).  Two of the files were removed by VirusScan while the third could not be as it was an unrecognized file type (Possibly because it was contained in an archive).  Surprizingly, this third file was located in my archived download of 3dsMax8.0, specifically located in the Activate.exe file.   I have had this downloaded program on my system for six months without Norton AntiVirus ever detecting a virus before during any of my scans.

I copied the archived 3dsMax 8.0 program to a DVD and then deleted it from my computer.  VirusScan indicated that the issue was resolved with my deletion of the program.

Next, I updated to Nortan Internet Security 2009 and did a full scan.  No viruses were detected.  Then, I scanned the DVD with the supposedly infected archived copy of 3dsMax 8.0.  It did not detect Backdoor.Sdbot nor any other virus present?

Did I simply have a false detect?  Does anyone know what has happened here?

Replies

Kudos0

Re: Questions about "Backdoor.Sdbot"

One of the other posters had a similar problem, but I'm looking to see if some experts can shed some light on my experience:

I ran a full system scan on 18 SEP 08.  The scan detected three files infected with the Backdoor.Sdbot virus.  (The latest DAT was 29 AUG 08 with the 17 SEP 08 Rapid update).  Two of the files were removed by VirusScan while the third could not be as it was an unrecognized file type (Possibly because it was contained in an archive).  Surprizingly, this third file was located in my archived download of 3dsMax8.0, specifically located in the Activate.exe file.   I have had this downloaded program on my system for six months without Norton AntiVirus ever detecting a virus before during any of my scans.

I copied the archived 3dsMax 8.0 program to a DVD and then deleted it from my computer.  VirusScan indicated that the issue was resolved with my deletion of the program.

Next, I updated to Nortan Internet Security 2009 and did a full scan.  No viruses were detected.  Then, I scanned the DVD with the supposedly infected archived copy of 3dsMax 8.0.  It did not detect Backdoor.Sdbot nor any other virus present?

Did I simply have a false detect?  Does anyone know what has happened here?

Kudos0

Re: Questions about "Backdoor.Sdbot"

This should give you more deatils on the Trojan Horse if not already checked out: http://www.symantec.com/security_response/writeup.jsp?docid=2002-051312-3628-99&tabid=1.
Thursday, November 21, 2013: The THREATCON was changed to Level 1: Normal | Tue., Nov. 05, 2013: Zero-Day Vulnerability: Microsoft Security Advisory 2896666 | Saturday, November 09, 2013: Cyber-Criminals Serve Up A Veritable Smorgasbord Of Threats For South Koreans | Wednesday, October 09, 2013: New Internet Explorer Zero-Day Targeted In Attacks Against Korea And Japan [C.V.E.-2013-3897]
Kudos0

Re: Questions about "Backdoor.Sdbot"

Hey red.........I've been looking at that, but I am not sure if the answer I'm searching for is there.
Kudos0

Re: Questions about "Backdoor.Sdbot"

Hello,

   What kind of Program is it?  If it is I.R.C.-related, then it may well have been that the File was Removed when the other two Files were of the other two Internet Threats and Norton reported that it was still there and thus, a F.P..

Thursday, November 21, 2013: The THREATCON was changed to Level 1: Normal | Tue., Nov. 05, 2013: Zero-Day Vulnerability: Microsoft Security Advisory 2896666 | Saturday, November 09, 2013: Cyber-Criminals Serve Up A Veritable Smorgasbord Of Threats For South Koreans | Wednesday, October 09, 2013: New Internet Explorer Zero-Day Targeted In Attacks Against Korea And Japan [C.V.E.-2013-3897]
Kudos0

Re: Questions about "Backdoor.Sdbot"

Well.....The program itself is 3dsMax, a 3d modeling program.  It was in an archived state (bundled in a WinRar type self extracting file) and the specific file within the archived 3dsMax program that was supposedly infected was the Activation.exe which is responsible for activating the programs licensing verification.
Kudos0

Re: Questions about "Backdoor.Sdbot"

Further.......

What I really don't get is how the 3dsMax program could be downloaded and installed on my computer for over six months and only yesterday was a Backdoor.Sdbot virus detected.  Also, why I cannot detect any trace of the virus on the DVD copy I made of the program before deletion?  This leads me to theorize  that the 17 Sep 08 Rapid response update detected 3dsMax's Activate.exe (The programs license verification executable.) as a virus (Backdoor.Sdbot) and then the subsequently installed DAT updates identified it as not being a virus.

This is the main point I'm trying to investigate, whether this was a false detect or is there still a Backdoor.Sdbot lurking on my copied DVD.

Kudos0

Re: Questions about "Backdoor.Sdbot"

Hi,

  Please Update your Norton Product via LiveUpdate and then do a Full System Scan in Safe Mode; let me know the Results.  Then I would run a Custom Scan on the D.V.D with Updated Virus Definitions; again, let me know the Results.

Thursday, November 21, 2013: The THREATCON was changed to Level 1: Normal | Tue., Nov. 05, 2013: Zero-Day Vulnerability: Microsoft Security Advisory 2896666 | Saturday, November 09, 2013: Cyber-Criminals Serve Up A Veritable Smorgasbord Of Threats For South Koreans | Wednesday, October 09, 2013: New Internet Explorer Zero-Day Targeted In Attacks Against Korea And Japan [C.V.E.-2013-3897]
Kudos0

Re: Questions about "Backdoor.Sdbot"

Acronym2,

Go ahead and submit the 'activate.exe' file from your DVD copy to Symantec using the following link -

 https://submit.symantec.com/websubmit/retail.cgi

You'll get an email with a unique TRACKING number in the subject line, once you make the submission. Report that number on this thread.

Thanks

- DesiT

Kudos0

Re: Questions about "Backdoor.Sdbot"

Hi DesiT.........I tried to extract Activate .exe from the DVD Copy to send, but NAV blocks the extraction with a pop-up warning that says something like "File blocked, Backdor.Sdbot detected, your computer is safe." etc.  This is strange. A custom scan of the DVD does not detect a virus of any kind. I'll do what Red suggested and reply to him, but do you see my dilema?  I still cannot tell whether this is a virus or a false detect. 
Kudos0

Re: Questions about "Backdoor.Sdbot"

Well Floating_Red, I did both and can find no virus present.  However, as you can see from my previous post, I am still stymied by the fact that in trying to extract Activate.exe from the DVD copy NIS blocks the file as a Backdoor.Sdbot.  Does this mean a fasle detect or is this really a trojan virus?
Kudos0

Re: Questions about "Backdoor.Sdbot"

Well Floating_Red, I did both and can find no virus present.  However, as you can see from my previous post, I am still stymied by the fact that in trying to extract Activate.exe from the DVD copy NIS blocks the file as a Backdoor.Sdbot.  Does this mean a fasle detect or is this really a trojan virus?

(In a new wrinkle, Live update is failing to update virus definitions.  It did yesterday, but for some reason it fails to update the last packet which is the Virus definitions!?)

Kudos0

Re: Questions about "Backdoor.Sdbot"

1.  None of what you have described sounds healthy to me.  Have you tried downloading the Norton Recovery Tool image onto another computer, burning the ISO image onto a CD, then booting onto the problematic computer with the CD?  Make sure the computer is wired into the internet, then check for viruses this way.

2.  Have you tried a suggestion I made elsewhere?  Create a New User with Admin Rights and see how your programs behave for that user?  Sometimes registry damage stops at the User level and doesn't penetrate to the system level.

Good luck

mijN360 2013, v.20.1.0.24; Win7 Pro, SP1 (32 bit), IE 9, Firefox 14, No other active securityware
Kudos0

Re: Questions about "Backdoor.Sdbot"

Live update works fine again.  Possibly something was just wrong with that packet.

Now, I know I've dragged this on, but I am left with the same question.  Did I detect, or do I have a "Backdoor.Sdbot" hiding in Activate.exe on my DVD copy of my program or is this just a false detect due to Activate.exe's function as a license verification executable. 

Kudos0

Re: Questions about "Backdoor.Sdbot"

Hello,

I have been working the malware removal forums for quite some time and the only real way to know if your infected with the SDBot worm would be to post a Hijackthis log in one of the removal forums, there is a tool to remove SDbot. I log onto this forums as ken545

Here are two for starters

SaferNetworking

http://forums.spybot.info/forumdisplay.php?f=22

WhattheTech

 http://forums.whatthetech.com/HijackThis_Logs_and_Infections_Removal_f27.html

Kudos0

Re: Questions about "Backdoor.Sdbot"

See if you can upload the file directly from your CD/DVD to http://www.virustotal.com/ . If it fails when you just select the file and upload it, test with the "Send it over SSL"-option checked to see if it makes a difference. Haven't tested personally, but worth a shot. Then, if nothing works, you can decide yourself if you wanna take the risk and disable the Real-Time protection against viruses and malicious behaviour (SONAR), since they're connected and then both upload the file at VirusTotal and to the Symantec Submission-page. I'd suggest VirusTotal first so that you immediately get a second opinion from all the engines there. Most of all I'm curious about the fact that manually scanning the CD (I would suppose you simply right-clicked it and selected the scanning-option of Norton) did not get you any results about infection (of this threat)...Message Edited by RavenMacDaddy on 09-20-2008 04:13 PM
Kudos0

Re: Questions about "Backdoor.Sdbot"

Okay, guys, I'll try to upload the file toVirustotal and Symantec. I guess if it comes up clean.....than it was a false detect?  (My opinion leans a little this way, but I **bleep** well want to be sure about it!)
Kudos0

Re: Questions about "Backdoor.Sdbot"

Okay, my friends.....................the continuing saga to solve our mystery!   I have taken my DVD copy archived suspect program and, using my old computer, extracted the Activate.exe file and copied it to a CD.  My intention was to upload the file on my new computer from the CD to Virustotal and Symantec.  However, as soon as the CD is in the drive and recognized.....Symantec warns me that Backdoor.Sdbot is detected and advises removal of the CD from the drive.

I still wonder about all of this.  How is it that the extracted file Activate.exe is detected as containing a virus while it is apparently not when archived on the DVD?  (I checked the scan compressed files option on LisaT's advice.)  Also, I had the archived file on my drive for several months, yet no Backdoor.Sdbot was detected until two days ago.  Why wouldn't it have been detected sooner?

Well, any ideas on how to get the file to Symantec.  I could not upload it.  When I tried to do so, I recieved a message of "you do not have permission to open this file, contact the administrator or file owner for permission to do so". 

Kudos0

Re: Questions about "Backdoor.Sdbot"

Hi Acronym

This message "you do not have permission to open this file, contact the administrator or file owner for permission to do so" Is that the message given because Norton's Autoprotect is blocking your access due to the security risk detected. Then that is why you are unable to send the file to Symantec or Virus scan.

If that's the case, Norton would have to be disabled for just the moment that you want to send the file. Then Turn Norton back on immediately afterwards.

Cheers

Quads 

Kudos0

Re: Questions about "Backdoor.Sdbot"

I see.  I thought it might be something like that.  However, I think I'll try first to use my old computer to upload the file as I will eventually restore its drive it to the factory state.

On another note, I've been reading the Symantec Backdoor.Sdbot web pages a little closer.   I see that the registry keys reported by NAV that were effected on my computer before NAV removed the virus were:

HKEY_USERS\S-1-5-19\Software\ASProtect->Microsoft
HKEY_USERS\S-1-5-21-740156387-1363620219-772563812-1000\Software\ASProtect->Microsoft
HKEY_USERS\S-1-5-20\Software\ASProtect->Microsoft
HKEY_USERS\.DEFAULT\Software\ASProtect->Microsoft
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurentVersion\Winlogon->Shell:Explorer.exe

These do not seem to be similar to those listed on the web page.  I am not very knowledgeable with regestry keys or registry editing.  Does anyone recognize these keys and does this tell us something about the nature of what NAV detected?

Kudos0

Re: Questions about "Backdoor.Sdbot"

Hi

Sdbot, seems to be evolvong with different file names all the time.

 [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon>New value:  does indeed seem to be part of "Worm/SdBot.571392.1" ( IRC/SdBot ).

The Asprotect is a program, but whether the entries are Sdbot faking AsProtect, I don't know.

AsProtect  http://www.aspack.com/asprotect.aspx

Do you have this program installed??

"However, I think I'll try first to use my old computer to upload the file as I will eventually restore its drive it to the factory state."  Good Idea 

Cheers

Quads 

Kudos0

Re: Questions about "Backdoor.Sdbot"

Looking at the website link you posted, I can say that I never purchased that product for download and install.  I will check as best I can to see if my computer, or my version of Vista, or another program may have had it prepackaged.
Kudos0

Re: Questions about "Backdoor.Sdbot"

Quads, a quick question for you or anyone else who may know.  Does NAV delete erroneous registry keys as part of removal?  (I assume yes.....?)  I went looking for the above keys in the registry and only found the last one.  So, we may assume the suspected virus added the others.......hmmm!  It still seems alot different from the Backdoor.Sdbot page and how it is supposed to alter the registry.

(Sorry guys, I have to get in the habit of using "edit post" here.)

Message Edited by Acronym2 on 09-21-2008 05:02 PM
Kudos0

Re: Questions about "Backdoor.Sdbot"

I wouldn't expect NAV to delete erroneous registry keys (that is the purview of systemworks), but it would go after malware entries.

mijN360 2013, v.20.1.0.24; Win7 Pro, SP1 (32 bit), IE 9, Firefox 14, No other active securityware
Kudos0

Re: Questions about "Backdoor.Sdbot"

Hi there.

I agree with Mij on the NAV (or NIS) deleting  erroneous entries.

Now Not being able to find the other registry entries, So I would presume that they have been added by the injection(s) and masquerading the entries as the legitimate AsProtect product when it is not.  But until for sure you know, you don't have AsProtect installed on your PC.........  Though as NAV detected them it does also make the entries suspicious.

As for finding hidden registry entries, Try Systeminternal's "Rootkit Revealer" and/ or also WinPatrol. Panda and Sophos also have a rootkit scanner, you can download.

Does anything show up on the list after running HJT??

Cheers

Quads 

Kudos0

Re: Questions about "Backdoor.Sdbot"

Well, I have the result from VirusTotal: 41.67% positive.  http://www.virustotal.com/analisis/302c31ecf6cf150c8fdeeffaf7d0c570

Next I'll submit it to Symantec as it is interesting that it seemed to resist the scan when compressed on a DVD.  Also, it still seems strange that it wasn't detected by NAV until a few days ago.  Perhaps it is sophisticated and it wasn't until the 17 SEP 08 DAT until it was recognized.

Oh, well. Live and learn.  Is it even possible to clean the orginal infected file?  My heart tells me not likely, but I wonder if it could be decompiled and the virus removed.  When I scanned it with McAfee on my old computer, it gave a result of three files scanned.  Possibly it could be as simple as decompiling it and deleting the virus file.

So, any more advice on how to make sure my system is clean?  I guess that's my main mission now: to make sure there are no residual effects left on my system.  I'll run the HJT program and post to their web as advised.

Kudos0

Re: Questions about "Backdoor.Sdbot"

Hi

An Update.

As to "AsProtect"  there are a few variations of "Sdbot" that use Asprotect as a packer type.  (Compression).

There will be or would have been a file in the "c:\windows\system32\" folder. depending on the variation the file name will be different. xxxx.exe

Quads 

Kudos0

Re: Questions about "Backdoor.Sdbot"

Symantec's Analysis is complete.  A Backdoor.Sdbot non-repairable threat.  I am advised that the latest LiveUpdates do detect this threat and that I should delete the suspected file. (Already done!)

I guess that's it.  Is there anything more I need to do to clean my system of any residual effects from the infection?

Kudos0

Re: Questions about "Backdoor.Sdbot"

Hi

If your PC is running smoothly etc. I guess there is nothing else.

There could always be the odd small remnant, like reg entry, but one small thing like that with nothing else. It won't do anything.

You may always find in the future as def. updates come in that Antivirus etc. Find the odd small thing left behind to delete, but not the program (infection) as a whole.

Before you wonder, I have had been infected with Virtumondo and had deleted the infection, PC back to normal, months later after a def. update and a scan 2 reg entries and a .dll had been found.  Just the remnants.

That could happen to you, there seems to be many variants of the Trojan.sdbot (IRCbot) showing up in lists.

bye

Quads

P.S. You could always do a registry clean. 

This thread is closed from further comment. Please visit the forum to start a new thread.