Questions about "Backdoor.Sdbot"

Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Sed posuere consectetur est at lobortis. Vestibulum id ligula porta felis euismod semper. Donec ullamcorper nulla non metus auctor fringilla. Aenean lacinia bibendum nulla sed consectetur. Cras justo odio, dapibus ac facilisis in, egestas eget quam. Cras mattis consectetur purus sit amet fermentum. Morbi leo risus, porta ac consectetur ac, vestibulum at eros. Sed posuere consectetur est at lobortis. Etiam porta sem malesuada magna mollis euismod. Cum sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Cras justo odio, dapibus ac facilisis in, egestas eget quam. Aenean eu leo quam. Pellentesque ornare sem lacinia quam venenatis vestibulum. Curabitur blandit tempus porttitor. Sed posuere consectetur est at lobortis.

One of the other posters had a similar problem, but I'm looking to see if some experts can shed some light on my experience:

 

I ran a full system scan on 18 SEP 08.  The scan detected three files infected with the Backdoor.Sdbot virus.  (The latest DAT was 29 AUG 08 with the 17 SEP 08 Rapid update).  Two of the files were removed by VirusScan while the third could not be as it was an unrecognized file type (Possibly because it was contained in an archive).  Surprizingly, this third file was located in my archived download of 3dsMax8.0, specifically located in the Activate.exe file.   I have had this downloaded program on my system for six months without Norton AntiVirus ever detecting a virus before during any of my scans.

 

I copied the archived 3dsMax 8.0 program to a DVD and then deleted it from my computer.  VirusScan indicated that the issue was resolved with my deletion of the program.

 

Next, I updated to Nortan Internet Security 2009 and did a full scan.  No viruses were detected.  Then, I scanned the DVD with the supposedly infected archived copy of 3dsMax 8.0.  It did not detect Backdoor.Sdbot nor any other virus present?

 

Did I simply have a false detect?  Does anyone know what has happened here?

Hey red…I’ve been looking at that, but I am not sure if the answer I’m searching for is there.

Hello,

   What kind of Program is it?  If it is I.R.C.-related, then it may well have been that the File was Removed when the other two Files were of the other two Internet Threats and Norton reported that it was still there and thus, a F.P..

Well…The program itself is 3dsMax, a 3d modeling program.  It was in an archived state (bundled in a WinRar type self extracting file) and the specific file within the archived 3dsMax program that was supposedly infected was the Activation.exe which is responsible for activating the programs licensing verification.

Further.......

 

What I really don't get is how the 3dsMax program could be downloaded and installed on my computer for over six months and only yesterday was a Backdoor.Sdbot virus detected.  Also, why I cannot detect any trace of the virus on the DVD copy I made of the program before deletion?  This leads me to theorize  that the 17 Sep 08 Rapid response update detected 3dsMax's Activate.exe (The programs license verification executable.) as a virus (Backdoor.Sdbot) and then the subsequently installed DAT updates identified it as not being a virus.

 

This is the main point I'm trying to investigate, whether this was a false detect or is there still a Backdoor.Sdbot lurking on my copied DVD.

Hi,

  Please Update your Norton Product via LiveUpdate and then do a Full System Scan in Safe Mode; let me know the Results.  Then I would run a Custom Scan on the D.V.D with Updated Virus Definitions; again, let me know the Results.

1 Like

Acronym2,

 

Go ahead and submit the 'activate.exe' file from your DVD copy to Symantec using the following link -

 https://submit.symantec.com/websubmit/retail.cgi

 

You'll get an email with a unique TRACKING number in the subject line, once you make the submission. Report that number on this thread.

 

Thanks

- DesiT

Hi DesiT…I tried to extract Activate .exe from the DVD Copy to send, but NAV blocks the extraction with a pop-up warning that says something like “File blocked, Backdor.Sdbot detected, your computer is safe.” etc.  This is strange. A custom scan of the DVD does not detect a virus of any kind. I’ll do what Red suggested and reply to him, but do you see my dilema?  I still cannot tell whether this is a virus or a false detect. 

Well Floating_Red, I did both and can find no virus present.  However, as you can see from my previous post, I am still stymied by the fact that in trying to extract Activate.exe from the DVD copy NIS blocks the file as a Backdoor.Sdbot.  Does this mean a fasle detect or is this really a trojan virus?

Well Floating_Red, I did both and can find no virus present.  However, as you can see from my previous post, I am still stymied by the fact that in trying to extract Activate.exe from the DVD copy NIS blocks the file as a Backdoor.Sdbot.  Does this mean a fasle detect or is this really a trojan virus?

 

(In a new wrinkle, Live update is failing to update virus definitions.  It did yesterday, but for some reason it fails to update the last packet which is the Virus definitions!?)

1.  None of what you have described sounds healthy to me.  Have you tried downloading the Norton Recovery Tool image onto another computer, burning the ISO image onto a CD, then booting onto the problematic computer with the CD?  Make sure the computer is wired into the internet, then check for viruses this way.

 

2.  Have you tried a suggestion I made elsewhere?  Create a New User with Admin Rights and see how your programs behave for that user?  Sometimes registry damage stops at the User level and doesn't penetrate to the system level.

 

Good luck

Live update works fine again.  Possibly something was just wrong with that packet.

 

Now, I know I've dragged this on, but I am left with the same question.  Did I detect, or do I have a "Backdoor.Sdbot" hiding in Activate.exe on my DVD copy of my program or is this just a false detect due to Activate.exe's function as a license verification executable. 

Hello,

 

I have been working the malware removal forums for quite some time and the only real way to know if your infected with the SDBot worm would be to post a Hijackthis log in one of the removal forums, there is a tool to remove SDbot. I log onto this forums as ken545

 

Here are two for starters

SaferNetworking

http://forums.spybot.info/forumdisplay.php?f=22

 

WhattheTech

 http://forums.whatthetech.com/HijackThis_Logs_and_Infections_Removal_f27.html

See if you can upload the file directly from your CD/DVD to http://www.virustotal.com/ . If it fails when you just select the file and upload it, test with the “Send it over SSL”-option checked to see if it makes a difference. Haven’t tested personally, but worth a shot. Then, if nothing works, you can decide yourself if you wanna take the risk and disable the Real-Time protection against viruses and malicious behaviour (SONAR), since they’re connected and then both upload the file at VirusTotal and to the Symantec Submission-page. I’d suggest VirusTotal first so that you immediately get a second opinion from all the engines there. Most of all I’m curious about the fact that manually scanning the CD (I would suppose you simply right-clicked it and selected the scanning-option of Norton) did not get you any results about infection (of this threat)…

Message Edited by RavenMacDaddy on 09-20-2008 04:13 PM

Okay, guys, I’ll try to upload the file toVirustotal and Symantec. I guess if it comes up clean…than it was a false detect?  (My opinion leans a little this way, but I bleep well want to be sure about it!)

Okay, my friends.....................the continuing saga to solve our mystery!   I have taken my DVD copy archived suspect program and, using my old computer, extracted the Activate.exe file and copied it to a CD.  My intention was to upload the file on my new computer from the CD to Virustotal and Symantec.  However, as soon as the CD is in the drive and recognized.....Symantec warns me that Backdoor.Sdbot is detected and advises removal of the CD from the drive.

 

I still wonder about all of this.  How is it that the extracted file Activate.exe is detected as containing a virus while it is apparently not when archived on the DVD?  (I checked the scan compressed files option on LisaT's advice.)  Also, I had the archived file on my drive for several months, yet no Backdoor.Sdbot was detected until two days ago.  Why wouldn't it have been detected sooner?

 

Well, any ideas on how to get the file to Symantec.  I could not upload it.  When I tried to do so, I recieved a message of "you do not have permission to open this file, contact the administrator or file owner for permission to do so". 

Hi Acronym

 

This message "you do not have permission to open this file, contact the administrator or file owner for permission to do so" Is that the message given because Norton's Autoprotect is blocking your access due to the security risk detected. Then that is why you are unable to send the file to Symantec or Virus scan.

 

If that's the case, Norton would have to be disabled for just the moment that you want to send the file. Then Turn Norton back on immediately afterwards.

 

Cheers

 

Quads 

 

 

I see.  I thought it might be something like that.  However, I think I'll try first to use my old computer to upload the file as I will eventually restore its drive it to the factory state.

 

On another note, I've been reading the Symantec Backdoor.Sdbot web pages a little closer.   I see that the registry keys reported by NAV that were effected on my computer before NAV removed the virus were:

 

HKEY_USERS\S-1-5-19\Software\ASProtect->Microsoft
HKEY_USERS\S-1-5-21-740156387-1363620219-772563812-1000\Software\ASProtect->Microsoft
HKEY_USERS\S-1-5-20\Software\ASProtect->Microsoft
HKEY_USERS\.DEFAULT\Software\ASProtect->Microsoft
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurentVersion\Winlogon->Shell:Explorer.exe

 

These do not seem to be similar to those listed on the web page.  I am not very knowledgeable with regestry keys or registry editing.  Does anyone recognize these keys and does this tell us something about the nature of what NAV detected?

 

Hi

 

Sdbot, seems to be evolvong with different file names all the time.

 

 [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon>New value:  does indeed seem to be part of "Worm/SdBot.571392.1" ( IRC/SdBot ).

 

The Asprotect is a program, but whether the entries are Sdbot faking AsProtect, I don't know.

 

AsProtect  http://www.aspack.com/asprotect.aspx

 

Do you have this program installed??

 

"However, I think I'll try first to use my old computer to upload the file as I will eventually restore its drive it to the factory state."  Good Idea 

 

Cheers

 

Quads