We use Trend Micro and found some of our PCs -- 15 of 140 -- infected with BKDR_SDBOT.M. The fact we found them seems due to the pattern (623), which includes this backdoor.
I had some problems looking for the origin of the infection, because I wasn't able to locate an .exe. Trend Micro's information seems to be erroneous by showing QUEUDO as the name, but Symantec seems more realistic with svsghost and wsock32 names.
So, then I checked on an infrequently used PC (with older antivirus pattern) by disconecting it from the network to avoid pattern update. I checked the places where the backdoor is supposed to be, but found nothing. Some minutes later (reconnecting the PC to the network) I received a message showing a backdoor infection. I don't understand what happened. Can you please explain this to me?
Backdoor.sdbot is a backdoor Trojan horse that allows the Trojan's creator to control a computer by using Internet Relay Chat (IRC). Backdoor.sdbot can update itself by checking for newer versions over the Internet.
I recommend visiting Symatec's sitefor instructions on how to remove this virus.
You will find these removal instructions:
The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.
1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Do one of the following:
a. Windows 95/98/Me/2000/XP: Restart the computer in Safe mode.
b. Windows NT: End the Trojan process.
4. Run a full system scan and delete all the files detected as Backdoor.Sdbot.
5. Edit the changes that the Trojan made to the registry.
For more info on this topic, check out these SearchSecurity.com resources:
This was first published in September 2003