[Full-Disclosure] Backdoor.Sdbot.N Question
nick at virus-l.demon.co.uk
Tue Sep 9 04:12:32 BST 2003
"James Patterson Wicks" <pwicks at oxygen.com> wrote:
> Anyone know how Backdoor.Sdbot.N spreads? ...
"Backdoor", if properly used in naming malware (with commercial AV
vendors that is long odds, but let's assume...) is a classification of
a non-replicating and thus non-self-spreading form of malware. Thus,
the answer is, it doesn't spread by itself.
Of course, it can be pread by any means of software distribution you
can imagine _other than_ those that fall under self-replication.
> ... This morning we had several
> users pop up with this trojan (or a new variant). ...
What precisely do you mean by this?
You go on to say that whatever it is they have is not detected by your
virus scanner, so how do you know what these machines have? (Let alone
to such a fine degree of variant naming as ".N"??)
> ... These users generated a
> ton of traffic until their machines were unplugged from the network.
> There systems have all the markers for the Backdoor.Sdbot.N trojan
> (registry entries, etc), but was not picked up by the Norton virus scan.
> In fact, even it you perform a manual scan after the trojan was
> discovered, it is still not detected in the scan.
Perhaps it is a repackaged version of that malware.
Perhaps it is an entiirely new malware that just happens to use the
same settings? (The fashion of using existing "legitimate" filenames,
or close appoximations thereto, coupled with the rather limited
imaginations of your typical skiddies means that originality in such
matters is not common...)
> I would also like to know if this is also an indicator of not having the
> patch for the Blaster worm.
Well, as we really have no idea what you actually have, it would be a
tad tricky to say anything much useful about that... You have the
machines though, so why don't you test them for the installation of the
As to the "big picture" of your question -- these machines could have
almost anything distributed almost any way. The last few days exploits
of the "Object Data Tag" vulnerability of MS03-032 have been popular
for "distributing" all manner of scumware, so maybe they got smacked
with one of those? Or maybe with any of dozens of other things.
Have you sent the suspect file(s) from these machines to a couple of
malware analysis labs? To save you looking them up, here are the
suspicious file submission addresses of the better known AV developers:
Command Software <virus at commandcom.com>
Computer Associates (US) <virus at ca.com>
Computer Associates (Vet/EZ) <ipevirus at vet.com.au>
DialogueScience (Dr. Web) <Antivir at dials.ru>
Eset (NOD32) <sample at nod32.com>
F-Secure Corp. <samples at f-secure.com>
Frisk Software (F-PROT) <viruslab at f-prot.com>
Grisoft (AVG) <virus at grisoft.cz>
H+BEDV (AntiVir): <virus at antivir.de>
Kaspersky Labs <newvirus at kaspersky.com>
Network Associates (McAfee) <virus_research at nai.com>
Norman (NVC) <analysis at norman.no>
Sophos Plc. <support at sophos.com>
Symantec (Norton) <avsubmit at symantec.com>
Trend Micro (PC-cillin) <virus_doctor at trendmicro.com>
(Trend may only accept files from users of its products)
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
Full-Disclosure is hosted and sponsored by Secunia.