Jump to content


Photo

Trojan - BackDoor.SdBot.30BP


  • Please log in to reply
4 replies to this topic

#1 peterpaulmary

peterpaulmary

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 28 July 2004 - 02:39 PM

I thought I had rid myself of this Trojan when I posted it for information purposes about it 2 days ago. Anyways AVG says I still have it. Originally it was found by AVG in D:Windows\System32\monsvc.exe and more recently in D:\System Volume Information\_restore{FAE136A3-F3CB-41EA-90D1-BFC7C5E775DD}\RP86\A0007907.exe. Unfortunately AVG can't remove it. Spybot and Ad-aware had no effect even when run in Safe Mode. I experimented with Trojan and virus removal software from windowsecurity.com, agnitum.com, pctools.com, Trendmicro.com and webroot.com but none of these worked on this Trojan. Below is my HighJackThis log and I am hoping that someone can assist me with a solution. I am also curious why I seem to be the only person who encountered a Trojan named: "BackDoor.SdBot.30.BP although I see numerous other BackDoor variants mentioned at websites. How does the Trojan move from monsvc.exe to A0007907.exe?


Logfile of HijackThis v1.98.0
Scan saved at 5:16:33 PM, on 7/27/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\WINDOWS\System32\ZoneLabs\vsmon.exe
D:\WINDOWS\System32\ctfmon.exe
D:\WINDOWS\System32\cmd.exe
D:\Documents and Settings\Mary Paul\My Documents\HighJackThisSearchResults\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG_CC] D:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [AdaptecDirectCD] D:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [MaxtorCombo] "D:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe"
O4 - HKLM\..\Run: [MXO Auto Loader] D:\WINDOWS\MXOaldr.exe
O4 - HKLM\..\Run: [Zone Labs Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "D:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mov: D:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab

#2 Marianna

Marianna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 752 posts

Posted 28 July 2004 - 09:17 PM

Hi peterpaulmary

Your log looks fine - as AVG found the trojan in D:\System Volume Information\_restore{FAE136A3-F3CB-41EA-90D1-BFC7C5E775DD}\RP86\A0007907.exe.

You only have to

Disable system restore: Instructions here
Reboot

Enable System Restore.

that's it.
"The only source of knowledge is experience"
Albert Einstein (1879 - 1955)

Microsoft MVP Consumer Security 2006 - 2010

#3 peterpaulmary

peterpaulmary

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 29 July 2004 - 09:57 PM

Thanks Marianne. I have done what you suggested and that seems to have cleared up the remnants of BackDoor.SdBot.30BP. While experimenting online with with a number of anti virus software I unfortunately uncovered another troublesome virus which I am still having difficulty with. I will start a new topic under Worm - Kelar.A alias W32/Kelar.A alias Raleka alias W32/Raleka.worm etc.

#4 Marianna

Marianna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 752 posts

Posted 29 July 2004 - 10:16 PM

You're Welcome :)

Will see if I can find the new thread :)
"The only source of knowledge is experience"
Albert Einstein (1879 - 1955)

Microsoft MVP Consumer Security 2006 - 2010

#5 Marianna

Marianna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 752 posts

Posted 29 July 2004 - 10:26 PM

HI :)

I found some info about

W32/Raleka-B
Aliases
W32.HLLW.Raleka, Win32/Raleka.A, Worm.Win32.Raleka.b

Description
W32/Raleka-B is a network worm which uses the Microsoft DCOM RPC vulnerability to propagate across a network.

The worm will attempt to connect to vulnerable computers and upload and execute the following files:
svchost.exe, ntrootkit.exe, ntrootkit.reg and service.exe

Svchost.exe is a copy of the worm itself.
Ntrootkit.exe is a copy of the backdoor Trojan Troj/RtKit-11.
Ntrootkit.reg is a file used to run Troj/RtKit-11 on Windows XP systems.
Service.exe is a legitimate utility.

The worm will attempt to download and install the Microsoft patch for the DCOM RPC vulnerability.

W32/Raleka-B includes backdoor functionality. The worm will attempt to contact IRC servers and await instructions from a remote attacker.

Microsoft has issued a patch for the vulnerability exploited by this worm. The patch is available from www.microsoft.com/technet/security/bulletin/MS03-026.asp.


http://www.sophos.co...w32ralekab.html
"The only source of knowledge is experience"
Albert Einstein (1879 - 1955)

Microsoft MVP Consumer Security 2006 - 2010




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button