IRC/BackDoor.Sdbot.25.AD anyone?

Discussion in 'malware problems & news' started by LOTL, Jul 12, 2004.

Thread Status:
Not open for further replies.
  1. LOTL

    LOTL Registered Member

    May 12, 2004
    Has anyone heard of this Trojan before? AVG has detected this on a friends PC, but i cant find any relevant info on it. The only thing close to that name that i found was: Trojan horse IRC/BackDoor.sdBot.27 and nothing specific for removal instructions.
    Any help would be appreciated. If a Hijack this log would be helpful please let me know.
    I have sent a link for the online Trojan scan @
    and hopefully it may detect and call it by something more recognizable.
  2. Jooske

    Jooske Registered Member

    Feb 12, 2002
    Netherlands, EU near the sea
    Hi there,
    could not find info on it either, there are so many of them with sometimes only slight differences; maybe the general instructions and which files to look for does help anyway.
    If AVG doesn't deal properly with it, disable AVG completely (Open AVG GUI - uncheck all the checkmarks - close AVG) and use another scanner, online or another one you like, or get TDS from the site (free 30 day eval) , make sure all scanners are still closed, install TDS, back on the site get the latest radius update, reboot if you hadn't done after the install and have a full system scan.
    In the end rightclick in bottom alerts console the finds to test (scandump.txt) and paste that in your next posting. If necessary the HJT log is an option, see in [thread]15913[/thread] about posting it.
    I had you closing AVG to give other scanners free access to every file and being able to deal with them if necessary.
    Also the HJT log could show more files which could else be hidden with AVG.
    TDS does not delete any file by itself, this is why your log is important to look what to do with the alerts.

    Please post back so we know how it goes.
  3. LOTL

    LOTL Registered Member

    May 12, 2004
    OK here goes. Ran both TDS-3 Full system scan and Trends housecall.
    I also have the laptop with me, and she had both NAV and AVG running and both were reporting different virus's,trojans etc.
    Ill list what each one found below. Windows is also reporting an error when starting: "Error loading C:\Windows\System32\Bridge.dll The specified module could not be found" I started getting this error after i installed Adaware and let it clean out over 300 nasties. When trying to run HJT i was getting an error, and it wouldnt let me save the logfile. Ill post the actual error message later if need be.

    (i did not run full system scans with NAV and AVG. The results below are just what kept popping up as i was working with the laptop).
    NAV: W32.Spybot.Worm
    AVG: PSW.Briss.E
    AVG: Downloader.Istbar.3.BE
    AVG: Trojan Horse IRC/Backdoor.SDBot.25.AD
    AVG: Trojan Horse Downloader.Agent.AS
    Housecall Online Scan: Troj IMIServ.C
    Housecall Online Scan: Bat Sasser.A
    Housecall Online Scan: Worm Rbot.R
    Housecall Online Scan: Worm Rbot.AP

    TDS-3 Full System Scan Results:
    Scan Control Dumped @ 05:47:39 14-07-04
    Live trojan found (in process memory): DCOM RPC Exploit
    File: C:\WINDOWS\System32\wkssvr.exe

    RegVal Trace: Suspicious: HKEY_LOCAL_MACHINE
    File: SOFTWARE\Microsoft\Windows\CurrentVersion\Run [rundll=rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load]

    File Trace: Default trojan filename: Suspicious
    File: c:\command.exe

    File: Software\Microsoft\Windows\CurrentVersion\Run [Microsoft Update=wserv32.exe]

    File: Software\Microsoft\Windows\CurrentVersion\RunServices [Microsoft Update=wserv32.exe]

    Positive identification <Adv>: Possible WebDownloader
    File: c:\command.exe

    Positive identification <Adv>: Possible WebDownloader
    File: c:\xpfirewall.exe

    Positive identification: Adware.BiSpy.f
    File: c:\documents and settings\owner\local settings\temp\thi3a68.tmp\preinstt.exe

    Positive identification (DLL): Adware.BiSpy.c (dll)
    File: c:\documents and settings\owner\local settings\temp\thi3a68.tmp\twaintec.dll

    Positive identification (DLL): Adware.BargainBuddy.e (dll)
    File: c:\program files\bargain buddy\bin2\apuc.dll

    Positive identification: Adware.BiSpy.f
    File: c:\windows\preinstt.exe

    Positive identification (DLL): Adware.IMI (dll)
    File: c:\windows\systb.dll

    Positive identification (DLL): (dll)
    File: c:\windows\wsem218.dll
  4. domino

    domino Guest

    hey guys...i was also a victim of this irc/backdoor sdbot virus which i just think came from anti virus itself, i use avg anti virus and found out that i had this i mmediately uninstall the anti virus and look to the internet for a solution and notice that all of users of this avg anti virus got this same kind of virus as i had...

    what i just did is i removed the autostart entries from the registry;

    open registry editor:

    locate the entry and delete.

    do the same thing with HKEY_CURRENT_USER

    Hope this will help...
  5. LOTL

    LOTL Registered Member

    May 12, 2004
    I think you may be right about AVG. After updatying to the latest definitions it no longer detected IRC/Backdoor.SDBot.25.AD.
    I had also followed the removal procedures for W32.Spybot.Worm from here right before rescanning with AVG, so that may have had something to do with it.
    Thanks for the help.
Thread Status:
Not open for further replies.