- Dec 18, 2001
- 24,036
- 21
- 81
We got a few machines that showed up with a virus infection that Symantec will not detect. It's rather simple too. A process "Svhost.exe" runs from either c:\winnt\system32\Svhost.exe (or \windows\system32), or as a prefetch file (.pf extension). In the registry Run key, it just load Svhost.exe with the name "Windows Update".
It's very easy to remove - just end the process, delete the file, and delete the reg entry. Then run Windows Update and install all critical fixes.
What I can't figure out is why the major antivirus vendors are not detecting such a simple variant. I was able to upload a sample file to kaspersky and have it analyzed as Backdoor.Win32.Rbot.hf, but it's an incorrect analysis. The description of that variant does not match the characteristics of what we're seeing.
If any one else catches this please let me know what you find out.
I moved this notice to: sdbot variant - no detection? We found out that this thing is talking back to the same public server and possibly waiting for instructions. I contacted the owners of the server to see if they would remove it from the public.
It's very easy to remove - just end the process, delete the file, and delete the reg entry. Then run Windows Update and install all critical fixes.
What I can't figure out is why the major antivirus vendors are not detecting such a simple variant. I was able to upload a sample file to kaspersky and have it analyzed as Backdoor.Win32.Rbot.hf, but it's an incorrect analysis. The description of that variant does not match the characteristics of what we're seeing.
If any one else catches this please let me know what you find out.
I moved this notice to: sdbot variant - no detection? We found out that this thing is talking back to the same public server and possibly waiting for instructions. I contacted the owners of the server to see if they would remove it from the public.
Facebook
Twitter