We help IT Professionals succeed at work.

W32/Sdbot.worm!ftp Cant get rid of it... Win2003 SP1 INSTALLED

nagib
nagib asked
on
Medium Priority
625 Views
Last Modified: 2010-08-05
Cant get rid off W32/SDbot.Warm!FTP
Keep getting messege on Event Viewer from McAfee saying it caught an infected file 'c:\winnt\system32\tt' that's infected with W32/Sdbot.worm!ftp.

This is the only computer on the network to get this virus messege, I already tried to install the patch, but I already have the SP1 installed so it didnt let me re-install
As I dont have any idea of what to do, I decided to remove Search and Destroy Bot (spyware remover) since its intial are SDbot but I dont know the resusts of this change yet.

Running:
WINDOWS 2003 SERVER SP1
McFee Virus Scan
Virus Def. 4728
Scan Engine. 4400
Comment
Watch Question

r-k

Commented:
The worm may have installed an ftp server on your system. I would look for anything unusual that is installed or running as follows:

 Download and run Autoruns from: http://www.sysinternals.com/Utilities/Autoruns.html
 Use Options -> Hide Microsoft Entries to reduce the display.
 Look for anything unusual.
 If not sure, save the log to a text file and cut and paste it here.

Second, maybe a good idea to download RootkitRevealer from: http://www.sysinternals.com/Utilities/RootkitRevealer.html
and scan your system. If anything interesting post it here (but don't post the entire log if it is very big)

Third, review what patches your server might need by running MBSA from: http://www.microsoft.com/technet/security/tools/mbsahome.mspx
Information on what you have.
http://vil.mcafeesecurity.com/vil/content/v_128082.htm#top
Mcafee removal instructions. (Does not state to perform in Safe Mode but I suggest you try.)
http://vil.nai.com/vil/content/v_128685.htm#RemovalInstructions
Microsoft Security Bulletin concerning this issue (2004).
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
:-)

Author

Commented:
Forgot to say I am Running SQL2000 SP3
Commented:
"..Running SQL2000 SP3"

You probably should upgrade to SP4. I believe there are a number of weaknesses in SP3.

Also want to make sure important passwords are long and hard to guess.

Review usernames on the server, sometimes hackers will create a bogus username for later breakins.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Author

Commented:
Automatic Update is ON

All of your r-k sugestions end up with a huge txt list and I couldn find anything strange on it
r-k

Commented:
If you're saying that the RootkitRevealer scan results in a big list, save that to a text file, then examine carefully the first 50 lines or so in that. If you find anything that refers to a device driver, perhaps a *.sys or *.dll file, that may be a hint of trouble so please post that section here.

In Autoruns you can select the Options -> Hide Microsoft Entries and that should reduce the list to a manageable size.

Author

Commented:
Guys, I solved the problem by closing the port number 1433 (SQL port) and the virus did not bother me again.  
Thanks,
Nagib Melo
Belém - Para - Brasil
The place of girls, parties and stuff... :)
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.