backdoor.sdbot---wild goose chase

Discussion in 'malware problems & news' started by craign, Feb 15, 2003.

Thread Status:
Not open for further replies.
  1. craign

    craign Registered Member

    Joined:
    Feb 15, 2003
    Posts:
    3
    hello,

    i have a virus detected by nav2002 named backdoor.sdbot.
    and i can not get rid of it. went to the norton site did online scan, nothing came up, but then the anti virus 2002 detected the virus shortly after that. i researched further and followed all instructions on the site, it is still there--it has been in a lot of different .exe files(i.e. iexplorer, lol, die,abc, upload, and some others).
    i still kept getting the warning, so i posted on a message board, there i was directed to a site that runs a trojan horse scan--tauscan. i did--- it found 2 files infected with IRC ZCREW.A,(web.swf and iiscache.dll) and deleted those files.
    still came up with the backdoor.sdbot in my C:/...\...
    \...\wintnt\temp file. went there and nothing.
    stumped i checked the message board again, someone said i should check this site out.
    i am running win2k-sp3 on a 233mhz 4g computer.
    i am about to reformat, the only thing is i just did that,
    i owuld try to rid myself of this pesky virus beforeusing that
    step.
    one other thing i run task manager and have duplicate
    .exe's running such as svhost.exe
    there has got to be a way of defeating this.

    thanks for help
    craig
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,312
    Location:
    Netherlands
    Hi craign,

    Welcome at Wilders. :)
    Please go to our anti-trojan page and grab a free trial of TDS-3 or Trojan Hunter and scan your system with it.
    Let us know.

    Regards,

    Pieter

    Edited typo´s
     
  3. craign

    craign Registered Member

    Joined:
    Feb 15, 2003
    Posts:
    3
    hello,

    i opted to go with the trojan hunter. i am a novice at security and tsd 3 looke intimidating. i ran it it found a trojan in svhost.exe and renamed it. it also stated i have a port open 5180 --matching peeper.120. i do not know what this is but am still investigating, i am not sure if this is over yet. however, i am grateful for your suggestions.
    i have nav 2002, tauscan, zonealarm, and trojan hunter.
    between them i might have a chance.
    thanks again
    craign
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,312
    Location:
    Netherlands
    Hi craign,

    IMO Trojan Hunter is a better choice then Tauscan. I agree that TDS looks intimidating at first, but doing an on demand scan for trojans is just as easy as in any other AT.

    Regards,

    Pieter
     
  5. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Could you provide the trojan name as stated by TH?

    This merely confirms, that particular port is open. It's the commonly used port by peeper.120, which does not imply your system has been infected by this trojan server. Investigating what keeps the port open is a good thing to do nevertheless.

    NAV is a decent antivirus - although bloathware IMHO. Tauscan is out of competition; can't handle many nasties at all. ZA: well, go for the firewall that suits you best - preferably a rule based one, making sure your rule base is rock solid. TrojanHunter has a too small database as it is at this very moment - but is user friendly indeed.

    regards.

    paul
     
  6. jamming

    jamming Guest

    Try closing your browser for a few minutes and then Scan again and see if that port is still in use. The browser opens temporary ports sometimes after establishing a Port 80 connection, this is normal, but some of the ports it opens randomly match ports that Trojans use.
     
  7. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Try a scan with TDS - the file names you mentioned are known GT Bot variants, this one is called ZCrew. The main trojan file you need to remove will be a RUNNING EXE file about 600k, and I can bet it was the one called iexplorer or expiorer.

    TDS should detect the EXE fine, we detect a large number of these modified MIRC clients which the bots use. If its a new one, a process memory scan would most likely find it anyway (feel free to submit a copy)

    Even a trace scan could detect all the files you mentioned, as they are well known to TDS.
     
  8. craign

    craign Registered Member

    Joined:
    Feb 15, 2003
    Posts:
    3
    the name of the trojan was windows500 and ghost 200.
    i have already deleted iexplore.exe and IEXPLORE.
    but they have returned , also i have 4 svhosts now.
    nav2002 found one and named as IRCchat trojan.
     
  9. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    I recommend the advice as given by Gavin above. Grab a trial version from TDS, update the latest radius file manually (grab it from the DCS website) and perform a full deep system scan. The - rather quite simple - basic configuration instructions can be found as a sticky post on the TDS forum.

    TDS is able to clean your system once and for all. Make sure to disable the Guard from TH before starting a scan.

    Keep us posted!

    regards.

    paul
     
  10. Alexander Pacek

    Alexander Pacek Registered Member

    Joined:
    Jun 14, 2004
    Posts:
    7
    Backdoor.SdBot in locked file...HELP!!!

    Dear Folks,
    My first post. I am desperate. I am using Windows XP, and have been notified I have the BackDoor.SdBot.28.BV trojan in the file RASMNGR.EXE. I used AVG and it didn't get rid of it. I used Hijack This, and it didn't get rid of it.

    FINALLY I used TDS and after a very long scan, it gave the message: "cannot read c:\windows\system32\rasmngr.exe as file is locked".

    Please help, if anyone knows what to do!!! Very much appreciated!

    Best,

    Alexander Pacek
    ~snip~ @polisci. tamu. edu
     
    Last edited by a moderator: Jul 2, 2004
  11. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Alexander Pacek,

    Are you using a 30-day trial version of TDS3? If yes, then you will have to manually bring the database up-to-date.

    Following the instructions here for Updating.

    Under the "Manual Update" right click on the radius.td3 file and choose "Save target as". Then in the "Save in" box browse to the C:\Program Files\TDS3 folder (provided that is the location of your TDS-3 directory) and save it there. A prompt will appear telling you that there is already a radius.td3 file there "do you want to overwrite it" click Yes.

    Once TDS3 is up todate, then bring up the TaskManager and end the running process for the rasmngr.exe.

    Zip up a copy of the rasmngr.exe and email it to submit@diamondcs.com.au for analysis

    Then open TDS3, press scan control, and tick all the boxes in the bottom part of the window, press save configuration and then close the window by pressing the red X in top right corner. Select System Testing and select Full System Scan.

    Let us know if you were able to delete the infected file.

    Regards,

    snap
     
  12. Alexander Pacek

    Alexander Pacek Registered Member

    Joined:
    Jun 14, 2004
    Posts:
    7
    Thanks for the advice. This morning, AVG reports in its log that the BackDoor.SdBot.28.BV trojan was healed. I have no idea why, as the same AVG told me it wasn't able to fix it earlier.

    Also, the RASMNGR.EXE icon, which was the blank blue box Windows uses before, has now changed to the multi-colour MSDOS icon. I suppose this is "good?"

    I wish I were not so ignorant about these things! Again, thanks for the assistance. I hope TDS keeps these damn things out in the future.

    Best,

    Alex Pacek
     
Thread Status:
Not open for further replies.