Content
W32/Sdbot.worm!ftp
- Type
- Virus
- SubType
- Worm
- Discovery Date
- 09/01/2004
- Length
- Varies - approx 64 bytes
- Minimum DAT
- 4389 (09/01/2004)
- Updated DAT
- 5465 (12/15/2008)
- Minimum Engine
- 5.1.00
- Description Added
- 09/01/2004
- Description Modified
- 09/03/2004 6:13 AM (PT)
Tab Navigation
Characteristics
This is a detection for an FTP script which is dropped by a virus.
The machine which identifies the script has been remotely "attacked" by a machine which is infected with one of many variants of W32/SDBot.worm.gen.
These variants of W32/SDBot.worm.gen are using the DCOM-RPC (see http://vil.nai.com/vil/content/v_100499.htm for details and a link to the patch) and LSASS or MS04-011 exploits to cause a buffer overflow on the vulnerable machine, and then write this small FTP script down to the local disk.
Under normal circumstances this FTP script would then be used to pull a copy of the worm from the original infected host, and then the worm would run on the local system, infecting this machine further.
In this instance McAfee VirusScan has identified the FTP script prior to it having been able to download this new variant of W32/SDBot.worm, but the system is still vulnerable and needs to be patched at the earliest opportunity.
Please note: at the time of writing these patches have been available from Microsoft for several months.
Symptoms
N/A This detection is for an FTP script.
Method of Infection
Buffer overflow vulnerabilities in LSASS and DCOM-RPC.
Removal
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Variants
Variants
N/A
All Information
Overview -
This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
Characteristics
Characteristics -
This is a detection for an FTP script which is dropped by a virus.
The machine which identifies the script has been remotely "attacked" by a machine which is infected with one of many variants of W32/SDBot.worm.gen.
These variants of W32/SDBot.worm.gen are using the DCOM-RPC (see http://vil.nai.com/vil/content/v_100499.htm for details and a link to the patch) and LSASS or MS04-011 exploits to cause a buffer overflow on the vulnerable machine, and then write this small FTP script down to the local disk.
Under normal circumstances this FTP script would then be used to pull a copy of the worm from the original infected host, and then the worm would run on the local system, infecting this machine further.
In this instance McAfee VirusScan has identified the FTP script prior to it having been able to download this new variant of W32/SDBot.worm, but the system is still vulnerable and needs to be patched at the earliest opportunity.
Please note: at the time of writing these patches have been available from Microsoft for several months.
Symptoms
Symptoms -
N/A This detection is for an FTP script.
Method of Infection
Method of Infection -
Buffer overflow vulnerabilities in LSASS and DCOM-RPC.
Removal -
Removal -
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
