Topics
General News Antivirus Reviews Network Defense Spyware Anti-Spam Phishing Scams Virus Alerts

Featured Product
Antivirus for your email server! Virus & content check mail with 5 virus scanning engines. Free 30 day trial available! Download Free Trial

Security Forums
Desktop Security Malware Removal Help Spam Blocking Patches and Hotfixes Network Security Firewalls and Routers Intrusion Detection Web Proxies Antivirus Support Symantec McAfee Trend Micro Other Antivirus

Quick Resources
About Antisource Malware Threats Triangle Free Virus Scan Virus Map

SDBot Variant - No Detection?

Tuesday, February 08, 2005
Author: Richard S. Westmoreland
Permalink: 20050208115153988

Virus Alerts

I have found a handful of machines that showed up with a virus infection that Symantec will not detect. It's rather simple too. A process "Svhost.exe" runs from either c:\Windows\system32\Svhost.exe or as a prefetch file (.pf extension). In the registry Run key, it just loads Svhost.exe with the name "Microsoft Update".

It's very easy to remove - just end the process, delete the file, and delete the reg entry. Then run Windows Update and install all critical fixes.

What I can't figure out is why the major antivirus vendors are not detecting such a simple variant. I was able to upload a sample file to Kaspersky and have it analyzed as Backdoor.Win32.Rbot.hf, but it's an incorrect analysis. The description of that variant does not match the characteristics of what we're seeing. A submission to Symantec reveals it to be an SDBot variant.

I have found that this virus acts as a trojan and is communicating to the same IP. It's either a denial of service attack or part of a zombie network. I have contacted the directors of the network the IP belongs to, and hope they will remove the server from the public.

Also to note, so far I have only seen Windows XP machines get infected with this virus. If any one else catches this please let me know what you find out.