From: "Dangerous Digits" <
[email protected]>
| My NAV identified a trojan in the sfc.dll file (it's a company desk top).
| Cannot restore OS, as no one knows bios / admin password to safe boot.
| Cannot modify or delete sfc.dll (obviously).
|
| Will a purge & rebuild of SFC give me a chance to dump this file / trojan
| and start clean?
|
| If I upgrade to XP will I bypass the issue, or will it affect XP as well?
|
| D
Trojan ? Most likely a SpyBOT Internet worm.
http://isc.sans.org/diary.php?storyid=1893
"We've received reports from .edu of a massive new outbreak of bots exploiting the Symantec
Client Security and Antivirus escalation of privilege vulnerability."
http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2006-112810-5302-99&tabid=2
W32.Spybot.ACYR
The worm copies the original %System%\sfc.dll and %System%\sfc_os.dll files as
%System%\trash[RANDOM DIGITS].
Spread:
The Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability (described in
Microsoft Security Bulletin MS03-026)
The Microsoft Windows Message Queuing Remote Buffer Overflow Vulnerability (as described in
Microsoft Security Bullettin MS05-017)
The Microsoft ASN.1 Library Multiple Stack-Based Buffer Overflow vulnerabilities (as
described in Microsoft Security Bulletin MS04-007)
The Microsoft Windows Plug and Play Buffer Overflow Vulnerability (as described in Microsoft
Security Bullettin MS05-017)
The Microsoft Windows Server Service Remote Buffer Overflow Vulnerability (as described in
Microsoft Security Bulletin MS06-040)
Multiple Vendor FTPD realpath Vulnerability (as described in CVE-1999-0368)
Symantec Client Security and Symantec AnitVirus Elevation of privilege (as described in
CVE-2006-2630)
From McAfee/AVERT
This is a Low-Profiled Threat Notice for W32/Sdbot.worm!811a7027
Justification
W32/Sdbot.worm!811a7027 has been deemed Low-Profiled due to media attention at the following
link:
http://www.scmagazine.com/uk/news/a...exploit-patched-symantec-stack-overflow-flaw/
W32/Sdbot.worm!811a7027 is referred to as "W32.Spybot.ACYR" within the article.
Read About It
Information about W32/Sdbot.worm!811a7027 is located on VIL at:
http://vil.mcafeesecurity.com/vil/content/v_140978.htm
Detection
W32/Sdbot.worm!811a7027 was first discovered on November 28, 2006 and detection will be
added to the 4907 dat files (Release Date: November 29, 2006).
Though we consider this a low threat, An EXTRA.DAT file may be downloaded via the McAfee
AVERT Extra.dat Request Page:
https://www.webimmune.net/extra/getextra.aspx
If you suspect you have W32/Sdbot.worm!811a7027, please submit a sample to
http://www.webimmune.net
Risk Assessment Definition
For further information on the Risk Assessment and Avert Labs Recommended Actions please
see:
http://www.mcafee.com/us/threat_center/outbreaks/virus_library/risk_assessment.html
Best Regards,
McAfee Avert Labs - Come visit our Blog -
http://www.avertlabs.com/research/blog/