We have documented several instances over the past week, where client computers have been compromised and used to attack our network. Forensics revealed the presence of the Sdbot-fam worm/trojan.
These users were running either WindowsXP or Windows 2000 (Most were unpatched) and most notably, Norton 2004 antivirus software. Norton AV was still unable to detect this virus, despite having the LIVEUPDATE activated. When infected, some units were unable to connect to anti-virus websites, and had the gt.exe and inetman.exe surreptitiously installed. Internet browsing stalls when the infected system tries to infect other systems or contact its ‘master’.
In most instances, the default administrator password was blank. We used sophos to scan and detect the units. To help prevent the spread of this virus, please do ALL of the following:
- 1. Patch your windows systems via the windowsupdate.microsoft.com website
- 2. Upgrade your Antivirus software, and change your administrator password.
- 3. Install a firewall, or activate the personal firewall that comes with Windows XP.
- 4. Disable the uPNP and SSDP services from your unit.
You may also bring in your unit for inspection.