Virus information

[arrowsmithmidwest]

Hi all,

I have two viruses which i need to know some more information about, i can't find much though, i have read about the sdbot.AFN in the archives in this site.


SDBOT.AFN
and
Rbot.YZ

anyone got any links to sites where info on these viruses that nod has picked up?
Or has anyone had any experience with these viruses before.

cheers

[puff-m-d]

What files are NOD32 alarming on that it says are infected with these?

[gerardwil]

SDBOT.AFN try:

Also known as: W32.Randex.gen (Symantec), Backdoor/SDBot, IRC/SdBot.AFN (Eset), Backdoor.SdBot.jg (Kaspersky), W32/Sdbot.worm.gen.h (McAfee)

Gerard

[bigc73542]

Rbot.YZ look here here are the different variations

[arrowsmithmidwest]

thanks for the quick repsonse, the files infected are:

msconfg.exe - sdbot.afn

atiphexx.exe - rbot.yz

[Blackspear]

I would run a scan with Nod32 in Safe Mode, if you find there are problems with System Files affected, then after this you can place your Windows CD in the drive, click start > run, type in CMD, type in "sfc /scannow".

SFC (System File Checker, a part of Windows File Protection) will replace any changed/damaged system files with a clean copy. SFC may not solve every problem, but it's a good start that anyone can do...

Hope this helps...

Cheers

[gerardwil]

maybe this works for YZ as well?

http://www.sophos.com/support/disinfection/rbotek.html

[arrowsmithmidwest]

Quote:

Originally Posted by gerardwil

SDBOT.AFN try:

Also known as: W32.Randex.gen (Symantec), Backdoor/SDBot, IRC/SdBot.AFN (Eset), Backdoor.SdBot.jg (Kaspersky), W32/Sdbot.worm.gen.h (McAfee)

Gerard

Where abouts did you get that information Gerard?

[Blackspear]

Try here: https://www.virusbtn.com/perlbin/vgr....AFN&product=0

www.virusbtn.com > Resources> Vgrep

Cheers

[puff-m-d]

Quote:

Originally Posted by arrowsmithmidwest

thanks for the quick repsonse, the files infected are:

msconfg.exe - sdbot.afn

atiphexx.exe - rbot.yz

What are the locations of these files? Upload these 2 files to Jotti's site HERE for a second opinion.

[Bubba]

Quote:

Originally Posted by arrowsmithmidwest

anyone got any links to sites where info on these viruses that nod has picked up?

Win32.Rbot.H

Quote:

Method of infection

When first run, Rbot.H copies itself into the %System% directory as msconfg.exe.

It then adds entries to the following registry keys so that it is automatically run each time Windows starts:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Update = "msconfg.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Update = "msconfg.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Microsoft Update = "msconfg.exe"

[arrowsmithmidwest]

i have removed both viruses now, computer is virus free, now i just have a problem with the OS, i will run the sfc and if not better i may try a win repair.

[Tweakie]

Another valuable resource for this kind of information :
Norman's searchable database of automatically generated
virus descriptions (sandbox outputs). Here :
http://sandbox.norman.no/live_5.html

msconfg.exe -->
http://sandbox.norman.no/live_5.html...9437&menulang=

atiphexx -->
http://sandbox.norman.no/live_5.html...x.exe&adv=true