-
2
- #1
Just a little tidbit for everyone... I very recently had a client who had a reoccuring problem with backdoor.sdbot on his w2k domain controller. It would pop up once a week or so, did a manual sweep of all workstations to no avail...
It escalated a couple of nights ago with a hacker getting into the server and uploading the entire drive. grrr.
When checking a little deeper, I found out he had GT bot (global threat) and Norton corporate 8.0 missed it.
This virus can hide itself from windows GUI. You can only see it through dos. Don't always rely on your antivirus logs and alerts.
If anyone has to deal with these virii on 2000 server, you must boot to safe mode, open a command prompt and delete the files manually. GT bot hides in the winnt/fonts directory and will install MIRC chat into this directory as well. Only files ending with .fon or .ttf belong in this directory. SDbot hides the iexplorer.exe in the winnt/system32 directory.
Open the registry and browse to:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Runonce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Runservices
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Runservicesonce
and remove anything with reference to iexplorer.exe or configloader.
Do a search in the registry for the following:
- color6.exe
- MIRC
- gtbot
and remove any and all links to these files.
Remember to empty your recycle bin before rebooting.
Run a good trojan scanner under safe mode and you'll probably be surprised to find out what else is in there.
Good luck
It escalated a couple of nights ago with a hacker getting into the server and uploading the entire drive. grrr.
When checking a little deeper, I found out he had GT bot (global threat) and Norton corporate 8.0 missed it.
This virus can hide itself from windows GUI. You can only see it through dos. Don't always rely on your antivirus logs and alerts.
If anyone has to deal with these virii on 2000 server, you must boot to safe mode, open a command prompt and delete the files manually. GT bot hides in the winnt/fonts directory and will install MIRC chat into this directory as well. Only files ending with .fon or .ttf belong in this directory. SDbot hides the iexplorer.exe in the winnt/system32 directory.
Open the registry and browse to:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Runonce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Runservices
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Runservicesonce
and remove anything with reference to iexplorer.exe or configloader.
Do a search in the registry for the following:
- color6.exe
- MIRC
- gtbot
and remove any and all links to these files.
Remember to empty your recycle bin before rebooting.
Run a good trojan scanner under safe mode and you'll probably be surprised to find out what else is in there.
Good luck