Fog Creek Software
Discussion Board




A free vaccine for W32/SdBot-CE?

My system and a few others here have been infected with this worm.

http://www.sophos.com/virusinfo/analyses/w32sdbotce.html

I followed all the steps mentioned on that webpage and cleared the startup entries from the registry, yet the files copies itself to the \sys32 folder. When I reboot, the VC++ IDE fires up (coz this baby's written in Win32 API as the URL reports).

I've tried looking for more information for removal of this worm but sadly, Google returns only a handful of links, some of which are in foreign languages I don't understand.

Is there some FREE vaccine/patch I can get for this worm?

Sathyaish Chakravarthy
Thursday, April 08, 2004

Symantec is normally pretty good for this, but they seem to have named the variants of SdBot differently:

http://search.symantec.com/custom/us/query.html?col=&ht=0&qp=url%3A/avcenter/venc/data+url%3A/avcenter/venc/auto/index,+url%3A/avcenter/security/Content&qs=-url%3A/sarc-intl.nsf/+-url%3A/navintl.nsf/&qc=&pw=100%25&ws=0&la=en&si=0&fs=&qt=sdbot&ex=&rq=0&oq=&qm=0&ql=&st=1&nh=10&lk=1&rf=0

R1ch
Thursday, April 08, 2004

Thanks.

Sathyaish Chakravarthy
Thursday, April 08, 2004

Sathyaish, why do you just want a vaccine for free?

I guess you don't live in the States, so obviously you need to stage a revolution, embrace the free market system, blah blah etc.

:-)

Erehwon
Thursday, April 08, 2004

I presume you weren't running anti-virus software.  As such, you should not be wasting everybody's time with these posts.

Pet Peeve --> Those who don't run security software and then complain
Thursday, April 08, 2004

F8 on startup, go into safe mode, find the EXE file, delete it.  Then do the rest of cleansing at your leisure.

As always, my five-point plan for system disinfections goes:

1.  Get the internet running, somehow (this is tricksy)

2.  Firewall -- XP firewall if available, ZoneAlarm if they're not running XP.

3.  Spybot/AdAware

4.  AVG freeware antivirus

5.  Run windowsupdate until all critical updates are up to date.

(6.  Reset the IE homepage)

pds
Friday, April 09, 2004

I'll give this an acronym: FLAW, as in:

"Firewall, Lavasoft, Antivirus, Windowsupdate.com"


We could then use cool (i.e. awful) article titles like "Is your computer FLAWed?"

pds
Friday, April 09, 2004

pds:

You the shizzle, baby!

Erehwon
Friday, April 09, 2004

*  Recent Topics

*  Fog Creek Home