|
SDBot - A Visitor to Eliminate
SDBot is a 64,000 byte file that was first noticed in 2002, but new versions of it are still being noticed. It seems to be mutating and changing its form to help hide from users and computer authorities. Protecting yourself can be tough, but essential. More than one thousand people have reported having SDBot on their systems, as it's not one of the better distributed adware products, but that number seems to be growing by the day.
How Does SDBot Work?
SDBot uses random ports on your computer and exploits a weakness in Microsoft to become a part of your machine. In addition to slowing your machine down, it also has the ability to deliver other adware to your machine, stop the programs you are currently running, and leave your machine open to other adware programs each time you browse online. Moreover, it can wipe your firewall and completely change your current security settings. You may even notice blue screen errors on a regular basis with SDBot. Because SDBot creates a number of registry keys when it enters your machine, it will always be running in the background. This can clog up your machine and slow down every single program that you want to run. Essentially, SDBot opens a part of your system, via a trojan, and allows someone else to control your computer through IRC or Internet Relay Chat. In most cases, it attempts to communicate with one of the following IRC servers: bmu.h4x0rs.org, bmu.q8hell.org, or bmu.FL0W1NG.NE. It can continually update itself, and it will use your connection even when your not on, causing a real hassle if you're a dial-up customer.
Are There Similar Programs?
Most experts suggest more than one thousands variants are loose online. It has several other aliases including: IRC-Sdbot [McAfee], Backdoor.IRC.SdBot [Kaspersky], BKDR_SDBOT.B [Trend], Troj/Sdbot-B [Sophos], and Win32.SdBot.14176 [CA].
What Systems are Affected by SDBot?
Most adware experts suggest that it can become a part of Windows XP, Windows 2000, Windows 98, Windows 95, and Windows Server. The primary port affected is 6667, or the default IRC port. Known file names for SDBot include
Aim95.exe
CMagesta.exe
Cmd32.exe
Cnfgldr.exe
Explorer.exe
FB_PNU.EXE
IEXPL0RE.EXE
MSTasks.exe
MSsrvs32.exe
Mssql.exe
Regrun.exe
Svchosts.exe
Sys32.exe
Sys3f2.exe
Syscfg32.exe
Sysmon16.exe
YahooMsgr.exe
cthelp.exe
iexplore.exe
ipcl32.exe
quicktimeprom.exe
service.exe
sock32.exe
spooler.exe
svhost.exe
syswin32.exe
vcvw.exe
winupdate32.exe
xmconfig.exe
Once your computer has SDBot, it will try to send the trojan to other computers and cause the same problems with machines it has communicated with. All of the system information, included the network information from your machine, can be sent to another viewer, putting you at serious security risks. Lots of files can get downloaded and run on your computer once SDBot becomes a part of your machine, and Denial of Service attacks can be performed on third parties, implicating your machine in destruction. Moreover, it can even uninstall itself, removing any trace of the fact that it ever existed.
How Did I Get SDBot?
Most users report that it installed through a trojan they picked up on one of many sites they were visiting. It might have used any of the following to become part of your system:
DCOM RPC vulnerability (MS03-026)
WEBDAV vulnerability (MS03-007)
LSASS vulnerability (MS04-011)
ASN.1 vulnerability (MS04-007)
Workstation Service vulnerability (MS03-049)
PNP vulnerability (MS05-039)
Imail IMAPD LOGIN username vulnerability
Cisco IOS HTTP Authorization Vulnerability
How Can I Remove SDBot?
It's a fairly difficult one to remove, but it certainly isn't so difficult that a Windows reinstall will be necessary to take care of the problem. There are several ways you can take care of this problem. First, you can try to restore your machine to its last known good settings. This, however, only works with some Windows users. If you're interested in this option, it can be accessed just before you start Windows. Simply press F8, and choose "Last Known Good Configuration." Keep in mind, though, that this could cause you to lose data, and it will only work on the first restart after SDBot has become part of your system. Another option is to edit your registry. A list of registry keys affected by SDBot follows this article. Working with your registry is both difficult and dangerous, and if you're not sure how to do it, it's best to employ the help of a professional during the process. The registry is quite delicate, and while working with it may help to remove SDBot, making a mistake will most certainly further compromise your system. Your final option is to run your current anti-spyware software. If you don't have anti-spyware software on your machine, it's time to get one. Malwarebytes Anti-Malware (Malwarebytes has free malware removal) is a pretty good choice, but if you intend to look around, make sure you do so in reputable places. Lots of adware poses as anti-spyware products, and downloading it will only put you in more of a pickle than you were to start with.
SDBot is not only annoying, it's dangerous in terms of your personal information. Remove SDBot at your first opportunity.
The following registry subkeys can be affected:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersion
RunServices
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
These registry subkeys may also be present, and they should also be removed
"Configuration Loader" = "%System%iexplore.exe"
"Configuration Loader" = "MSTasks.exe"
"Configuration Loader" = "aim95.exe"
"Configuration Loader" = "cmd32.exe"
"Configuration Loader"= "IEXPL0RE.EXE"
"Configuration Manager" = "Cnfgldr.exe"
"Fixnice" = "vcvw.exe"
"Internet Config" = "svchosts.exe"
"Internet Protocol Configuration Loader" = "ipcl32.exe
"MSSQL" = "Mssql.exe"
"MachineTest" = "CMagesta.exe"
"Microsoft Synchronization Manager" = "svhost.exe"
"Microsoft Synchronization Manager" = "winupdate32.exe"
"Microsoft Video Capture Controls" = "MSsrvs32.exe"
"Quick Time file manager" = "quicktimeprom.exe"
"Registry Checker" = "%System%Regrun.exe"
"Sock32" = "sock32.exe"
"System Monitor" = "Sysmon16.exe"
"System33" = "%System%FB_PNU.EXE"
"Windows Configuration" = "spooler.exe"
"Windows Explorer" = " Explorer.exe"
"Windows Services" = "service.exe"
"Yahoo Instant Messenger" = "Yahoo Instant Messenger"
"cthelp" = "cthelp.exe"
"stratas" = "xmconfig.exe"
"syswin32" = "syswin32.exe"
For free automatic removal we recommend using Malwarebytes Anti-Malware. This program is widely recommended by reputable third-party sites, so you can be reasonably confident of its ability to safely get rid of SDBot and any hidden Trojans. As a precaution we recommend double checking your system with Spyware Doctor. This program requires paid registration to enable deletions, however it has a money back guaranteed and is the top of the line in malware removal. It should catch malware that evades Malwarebytes and block anything that tries to reinstal itself.
Important note: If Malwarebytes is blocked by malware then run Chameleon (Start Menu → All Programs → MalwareBytes' Anti-Malware → Tools → Malwarebytes' Anti-Malware Chameleon). If you need further help removing SDBot please email us at info@removeadware.com.au or call for personal assistance on toll-free number 888-655-3453, within the USA and Canada.
All content copyright 2006-2012, Bonobo Pty Limited. All Rights Reserved.
Privacy Policy | Terms Of Service