Started seeing a detection of SDBOT.worm.gen.J late 3/30-early 3/31 on workstations. A small handful (about 6) were found to be pretty much destroyed--RPC thread driving an instance of svchost to 97% processor, Start Bar minimized and locked, assorted registered services (Microsoft Installer Service, MS Scripting Host, and others) broken or unavailable. All workstations are XP SP1 with patches to the end of 04.
On 4/3, 6 of my production MS-SQL (Win2K SP4 & patched, MS-SQL 2K) servers got hit with the same thing. Luckily, didn't see the 97% svchost, and all server processes seem intact, but the desktop environment shows alot of the same symptoms, particularly broken services.
Reconfigured RPC to Take No Action on stop so I could at least have some of the processor, have scanned with every available tool (McAfee GUI, Stinger and command line in Safe Mode, Trend Micro, Panda, F-Prot in Safe Mode), have searched the registry for \RUN keys and inappropriate .exe's, with no luck. Have been unable to capture anything other than error boxes to submit to McPrimeSupport.
Any help appreciated before I set about to rebuild the prod servers.
Thanks!
The Bug Guy
On 4/3, 6 of my production MS-SQL (Win2K SP4 & patched, MS-SQL 2K) servers got hit with the same thing. Luckily, didn't see the 97% svchost, and all server processes seem intact, but the desktop environment shows alot of the same symptoms, particularly broken services.
Reconfigured RPC to Take No Action on stop so I could at least have some of the processor, have scanned with every available tool (McAfee GUI, Stinger and command line in Safe Mode, Trend Micro, Panda, F-Prot in Safe Mode), have searched the registry for \RUN keys and inappropriate .exe's, with no luck. Have been unable to capture anything other than error boxes to submit to McPrimeSupport.
Any help appreciated before I set about to rebuild the prod servers.
Thanks!
The Bug Guy