[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


W32/Sdbot.worm!ftp Cant get rid of it... Win2003 SP1 INSTALLED

Posted on 2006-03-30
Medium Priority
Last Modified: 2010-08-05
Cant get rid off W32/SDbot.Warm!FTP
Keep getting messege on Event Viewer from McAfee saying it caught an infected file 'c:\winnt\system32\tt' that's infected with W32/Sdbot.worm!ftp.

This is the only computer on the network to get this virus messege, I already tried to install the patch, but I already have the SP1 installed so it didnt let me re-install
As I dont have any idea of what to do, I decided to remove Search and Destroy Bot (spyware remover) since its intial are SDbot but I dont know the resusts of this change yet.

McFee Virus Scan
Virus Def. 4728
Scan Engine. 4400
Question by:nagib
  • 3
  • 3
LVL 32

Expert Comment

ID: 16337669
The worm may have installed an ftp server on your system. I would look for anything unusual that is installed or running as follows:

 Download and run Autoruns from: http://www.sysinternals.com/Utilities/Autoruns.html
 Use Options -> Hide Microsoft Entries to reduce the display.
 Look for anything unusual.
 If not sure, save the log to a text file and cut and paste it here.

Second, maybe a good idea to download RootkitRevealer from: http://www.sysinternals.com/Utilities/RootkitRevealer.html
and scan your system. If anything interesting post it here (but don't post the entire log if it is very big)

Third, review what patches your server might need by running MBSA from: http://www.microsoft.com/technet/security/tools/mbsahome.mspx
LVL 27

Expert Comment

ID: 16337936
Information on what you have.
Mcafee removal instructions. (Does not state to perform in Safe Mode but I suggest you try.)
Microsoft Security Bulletin concerning this issue (2004).

Author Comment

ID: 16338085
Forgot to say I am Running SQL2000 SP3
Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

LVL 32

Accepted Solution

r-k earned 600 total points
ID: 16338110
"..Running SQL2000 SP3"

You probably should upgrade to SP4. I believe there are a number of weaknesses in SP3.

Also want to make sure important passwords are long and hard to guess.

Review usernames on the server, sometimes hackers will create a bogus username for later breakins.

Author Comment

ID: 16345148
Automatic Update is ON

All of your r-k sugestions end up with a huge txt list and I couldn find anything strange on it
LVL 32

Expert Comment

ID: 16345437
If you're saying that the RootkitRevealer scan results in a big list, save that to a text file, then examine carefully the first 50 lines or so in that. If you find anything that refers to a device driver, perhaps a *.sys or *.dll file, that may be a hint of trouble so please post that section here.

In Autoruns you can select the Options -> Hide Microsoft Entries and that should reduce the list to a manageable size.

Author Comment

ID: 16386447
Guys, I solved the problem by closing the port number 1433 (SQL port) and the virus did not bother me again.  
Nagib Melo
Belém - Para - Brasil
The place of girls, parties and stuff... :)

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

PREFACE The purpose of this guide is to explain what the SEPC Status Utility is and how it works. I have written the utility using AutoIt and have included the source code for your review. You are welcome to modify the code to your liking, but I wi…
Have you ever tried to find someone you know on Facebook and searched to find more than one result with the same picture? Perhaps someone you know has told you that they have a 'facebook stalker' or someone who is 'posing as them' online and ta…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Suggested Courses

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question