Author Topic: win32:sdbot-5004 Detected  (Read 3893 times)

0 Members and 1 Guest are viewing this topic.

aprac00

  • Guest
win32:sdbot-5004 Detected
« on: September 26, 2007, 09:28:31 PM »
hello, I received a zip/rar file through msn messenger but I have not opened the file. Avast detected the file as "win32:sdbot-5004", however an error appeared stating the avast could not delete the file and it was found in  \locals~1\temp folder although the MSN Messenger receiving folder is My Received Files in My Documents. I scheduled a boot-time scan and nothing was detected, is this enough to confirm that my pc is clean or not?

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88854
  • No support PMs thanks
Re: win32:sdbot-5004 Detected
« Reply #1 on: September 26, 2007, 10:29:47 PM »
Not all unpackers are available on the boot-time scan so perhaps that is why nothing was found.

I suspect you have MSN Messenger set to scan with ashQuick.exe when the download is finished ?
The ashQuick.exe is the most thorough of the avast scans so that may be why it was detected.

You don't say why avast couldn't delete it (see below) ?

Deletion isn't really a good first option (you have none left), 'first do no harm' don't delete, send virus to the chest and investigate.

Have you checked the presence of the file in the location you gave ?
If it is there you could right click on it and scan with ashQuick again.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently over 30 different scanners.
Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. Whichever scanner you use, you can't do this with the file in the chest, you will need to move it out.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

aprac00

  • Guest
Re: win32:sdbot-5004 Detected
« Reply #2 on: September 26, 2007, 11:14:39 PM »
Hello, thanks for replying, I have accidentally clicked on “Deleted” file when the warning appeared and I couldn't catch the exact error, but it said that I was not able to delete the file. When I checked in My Received files, the zip/rar file I received was no longer available. As “avast” showed me that the the file has moved to locals~1\temp folder, it got me worried about the status of my computer so I ran the boot-time scan. However,  what can I do to ensure that my pc is fully protected and the virus I received is no longer active?

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88854
  • No support PMs thanks
Re: win32:sdbot-5004 Detected
« Reply #3 on: September 27, 2007, 12:14:26 AM »
To answer your last question first (what can I do to ensure that my pc is fully protected and the virus I received is no longer active?), you can start by answering all questions, without information I'm just guessing.

avast unpacks archive files in order to be able to scan them, this happens for some people depending on their settings in the C:\Documents and Settings\YourUserName\Local Settings\Temp\_avast4_ folder I don't know if this is what you saw. That folder is normally emptied after a scan if not the files won't be the same name but unpxxxxxx.tmp where the xxxxxx is a numeric value.

You didn't say if it was ashquick.exe that scanned the file either ?

That is why I asked had you checked for the presence of the file as reported in the alert, e.g. (C:\windows\system32\infected-file-name.xxx) ? 
Check the avast! Log Viewer (right click the avast 'a' icon), Warning section, this contains information on all avast detections.

The problem may be because it is an infected file within the archive and avast can't move or delete it as it may corrupt it by trying to remove it from the archive, but I can't say as I don't know the file name and type.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

aprac00

  • Guest
Re: win32:sdbot-5004 Detected
« Reply #4 on: September 27, 2007, 09:58:55 AM »
Yes, it was ashquick.exe that scanned the file.

In avast log viewer warning section the file description is
(Sign of “Win32:Sdbot-5004 [tri]” has been found in “C:\DOCUME~1\Username\LOCALS~1\Temp\TFR33B.tmp” file

If I have not executed the file manually once it was received but avast have detected the virus, does that mean that the virus was activated. If not why was it moved to the temp folder? And how can I be sure that my pc is clean?

I have googled for the virus name and I found it listed under the date 18.9.2007 - 0775-2
http://www.avast.com/cns/vps_history.html
What does this mean?

Thank you

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88854
  • No support PMs thanks
Re: win32:sdbot-5004 Detected
« Reply #5 on: September 27, 2007, 01:31:16 PM »
The avast VPS history just tells you when the malware was added to the signature file (VPS), so it is a relatively recent addition. You are often better off searching for the suspect file name, this doesn't bring up much that is of use either (this topic for one).

The file name is a little strange as .tmp files aren't executable so this one on its own (provided it is a .tmp file and not one that has changed a file type) shouldn't be a problem. In this case I don't believe it was 'moved' to the Temp folder by avast, as I said before avast uses the _avast_ sub folder in Temp.

It isn't uncommon for malware to write or download to the Temp folder, but that is more likely down to what you have set up as the default location for downloaded files in MSN Messenger. Sorry I don't use MSN so I can't be any practical help there.

Have checked for the presence of the file as I asked ?

Since it is in a Temporary location it may simply be better to clear all Temp files, using a temp file cleaner (see below) or manually.

ClearProg - Temp File Cleaner or CCleaner - Temp File Cleaner, etc.

Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

aprac00

  • Guest
Re: win32:sdbot-5004 Detected
« Reply #6 on: September 27, 2007, 03:35:56 PM »
It was a zip file under the name IMG-0012.zip, sorry I couldnt remember the name earlier, but when I translated the french page http://www.infos-du-net.com/forum/272927-11-virus-aussi 
which talks about this virus I noticed the same file name that was sent to me.

I have used Spybot Search and Destroy, Lavasoft Ad-Adware 2007, CCleaner, Antivir, Clamwin and Kaspersky Online Scanner to scan my computer but nothing was detected.

The question is, if I have "not" started the file nor it exists anymore in My Received Files which is the location for MSN Messenger, could it be activated automatically once received?

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88854
  • No support PMs thanks
Re: win32:sdbot-5004 Detected
« Reply #7 on: September 27, 2007, 04:55:17 PM »
The zip file on its own isn't a problem as it isn't an executable so is no threat, what we don't know is are there any other elements that might unzip it into the temp location, causing avast to detect one of the unzipped files in the temp folder.

You might not have executed it or tried to unzip it, but something must have for the extracted file to be detected. So I can't give any assurance about if it could have been activated once received.

Based on the multiple on-line scans you have done I would hope that you are in the clear, especially if you have as suggested cleared your temp folder.

I would say that spybot and adaware are not as effective as some other anti-spyware applications.

If you haven't already got this software (freeware), download, install, update and periodically run it.
1.  If using winXP AVG anti-spyware (formerly Ewido) Resident scanner during trial On-Demand after trial ends. Or SUPERantispyware On-Demand only in free version. Or Spyware Terminator Resident scanner. Or a-Squared free On-Demand only with free version(if using win98/ME).
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security