Can't find the information you are looking for here? Then leave a message over on our WinBatch Tech Support Forum.
Another day, another worm. No real protection against this one if a user downloads it and runs it... To spread, it simply uses an internal database of usernames / passwords to try and compromise local accounts on other systems and install itself. Symantec Antivirus defs (10/12) found this on some machines but wouldn't clean it (tried to delete it without killing the process...FAILED)... on a couple other machines, it didn't even see it... even with like 4 instances of the bug loaded into memory....
Anyway, here's a cleaning tool. Not the most perfect code, but kills the thing quick like... oh... if you do get this, make sure local accounts have strong passwords after cleaning or you might just get re-infected.
CLEANSDBOT.WBT
;--------------------------------------------------------------------------------------------------- ; WORM_SDBOT.XS Removal Tool ; -= KK (Crypt) 2004 =- ; Reference: http://uk.trendmicro-europe.com/enterprise/security_info/ve_detail.php?Vname=WORM_SDBOT.XS ; ; Note: Different AV vendors call it by different names and may detect it as another variant... ; Symantec Antivirus did detect this on some machine with current defs but was failing to remove it. ;--------------------------------------------------------------------------------------------------- ;Addextender("wproc34i.dll") ;Addextender("wwpst34i.dll") ; Postie for Email routine...can be commented out if you don't want the email addextender("WWPST44I.DLL") addextender("WWPRC44I.DLL") Windir=Environment("Windir") :Top ProcessList=tListProc() Exists=StrIndexWild(ProcessList,"integator.exe",1) If Exists !=0 Then IntControl (56,"integator.exe", 1, "", 0) If Exists !=0 Then Goto Top If FileExist("%WinDir%\integator.exe") Then FileDelete("%WinDir%\integator.exe") If FileExist("%WinDir%\System32\integator.exe") Then FileDelete("%WinDir%\system32\integator.exe") If RegExistValue(@REGMachine,"SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices[Windows Fix]") !=0 RegDelValue(@REGMachine,"SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices[Windows Fix]") EndIf If RegExistValue(@REGCurrent,"SOFTWARE\Microsoft\Windows\CurrentVersion\Run[Windows Fix]") !=0 RegDelValue(@REGCurrent,"SOFTWARE\Microsoft\Windows\CurrentVersion\Run[Windows Fix]") EndIf If RegExistValue(@REGMachine,"SOFTWARE\Microsoft\Windows\CurrentVersion\Run[Windows Fix]") !=0 RegDelValue(@REGMachine,"SOFTWARE\Microsoft\Windows\CurrentVersion\Run[Windows Fix]") ;Email routine can be commented out if you don't want it.. MachineName=Environment("ComputerName") UserName=Environment("Username") SendTo = "somerecipient@your.domain.com" Host="mailhost" From = "FromAddress@your.domain.com" UserId="" Password="" Port="25" CCList="" BCCList="" Subject=StrCat("-= Virus Found on ", MachineName, " (user=",Username,") =-") Msg="Was found infected with SDBOT" Attachments='' Flags="" kInit(Host,From,UserId,Password,Port) kDest(SendTo,CCList,BCCList) kSendText(Subject,Msg,Attachments,Flags) EndIF
Article ID: W16709
File Created: 2013:04:01:09:21:08
Last Updated: 2013:04:01:09:21:08