Memory Cards With W32/sdbot-dp Virus

[NanLaew]

I have a couple of SD memory cards that Webroot flags as being infected with W32/Sdbot-DP and quarantines it. But it's still alive on the removable media so does anyone have a quick and effective cleaner and sanitiser for this bugger?

Thanks!

[Supernova]

Click here:

Sophos -W32/Sdbot disinfection instructions

[NanLaew]

^ Yup, already went there and that's handy for getting it off the default C drive if that has an infection but it doesn't appear to be able to change to another drive such as the infected removable storage that I have.

[Supernova]

Can't you just delete it from the device? or do you get "Access Denied"?

[NanLaew]

I formatted the drive and it's still there... although of course it doesn't show itself. It's a worm so my Webroot is happily denying it access to my hard drive and registry but it looks that simple deletion isn't an option with these worms. That disinfector that you pointed out from Sophos is configured to scan/clean the default boot drive 'C' and so far, I haven't found anything similar that can be used on infected removable media.

[Supernova]

I formatted the drive and it's still there... although of course it doesn't show itself. It's a worm so my Webroot is happily denying it access to my hard drive and registry but it looks that simple deletion isn't an option with these worms. That disinfector that you pointed out from Sophos is configured to scan/clean the default boot drive © and so far, I haven't found anything similar that can be used on infected removable media.

That means the worm is still on your system (drive C:). Apparently the Sophos disinfector didn't work. To view hidden files as well as access the registry, copy and paste the code below to Notepad. Save file with a .cmd extension and execute. If the worm is active, it will detect the changes and reset the values denying you access. But then again, maybe not... Definitely worth a shot.

 :: Show hidden files
REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL" /v "CheckedValue" /t REG_DWORD /d 1 /f

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Hidden" /t REG_DWORD /d 1 /f

:: Enable Folder Options & Regedit - CURRENT_USER
REG DELETE "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoFolderOptions" /f
REG DELETE "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableRegistryTools" /f

:: Enable Folder Options & Regedit - LOCAL_MACHINE
REG DELETE "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoFolderOptions" /f
REG DELETE "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableRegistryTools" /f

[NanLaew]

^ My laptop passes all scans with Webroot (bought and paid version) without any flags or errors.

As soon as I plug in either one of the two dodgy micro SD cards, Webroot pops up a warning that the worm has been detected on the memory stick and quarantined.

When I remove the sticks, the warnings cease and subsequent full scans show nothing hiding on the C and D drives.

So, back to cleaning these SD cards or I think I will just bin them as they are cheap as dirt these days.

PS. You can't scare me that easily!

[Supernova]

^ LOL. Now why would I want to cause a scare? I'm just trying to be thorough, knowing all too well how insidious trojans, worms, and viruses can be. My question to you is: How could the worm still be on the SD card after a reformat? It doesn't make any sense. Unless your system harbors some sort of infection, I don't see how it's possible that a freshly formatted SD card can become infected so quickly.

Are you able to view hidden and system files? If not, use the CMD script below to generate a list of hidden files present on the SD card (before Webroot quarantines them). Any hidden or system files found will also have their attributes reset. The generated file will be saved to the SD card as "filelist.txt". Be interesting to see what's on there.

::IMPORTANT - Substitute "X:" with actual drive letter assigned to the SD card

cd /d X:
attrib *.* 2>nul |findstr "^...S ^....H" >filelist.txt
FOR /F "tokens=* delims=ASHR " %%A in (filelist.txt) do attrib -s -h -r "%%A"

[cdnvic]

Webroot doesn't exactly have a steller reputation for finding infections.

Try this one quickly (disable webroot first):

http://www.eset.com/onlinescan/

[cdnvic]

Also, disable autorun before attaching any removable media to prevent it reinfecting. I also strongly suggest scanning while in safe mode for better results.

[Supernova]

I definitely agree with the above post on disabling autorun. Virus writers often utilize the autoplay feature in Windows to spread their handy work...

Disable Autorun using the Registry Editor (regedit)

Note: This method won't work IF registry access has been disabled; in which case, use the command line (see below).

 Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=dword:000000ff
"HonorAutoRunSetting"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"

Disable Autorun using the command line or batch file

 REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer" /v "NoDriveTypeAutoRun" /t REG_DWORD /d 255 /f
REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer" /v "HonorAutoRunSetting" /t REG_DWORD /d 1 /f
REG ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf" /ve /t REG_SZ /d "@SYS:DoesNotExist" /f

[NanLaew]

Thanks for working with me on this wee problem. I will run the eset online scan in safe mode later. I used this product once before when a client-provided work computer was acting the goat. Opened a can of worms that was hiding on their server! Good stuff.

All AV and spyware progs have pro's and con's but in general, I have found Webroot stuff to be more robust than most. I ditched a paid Norton AV subscription in favour of a paid Spysweeper one when the former just became to bloody intrusive. Similar experience with McAfee and ZoneAlarm when they started to try and do too many things at once, ate up memory and flagged shadows.

Good point on disabling autorun though. That was the norm on my previous laptops but never got around to doing it on this Vista machine.

[NanLaew]

OK, running ESET online scan in safe mode threw up a couple of other trojans that were taken care of. So I downloaded a 30-day trial version of ESET NOD32 and scanned all my SD sticks and it detected a DIFFERENT worm on the dodgy one but seems to have deleted it for good. One of the other dodgy SD's says it needs formatting but won't accept any attempts, even using Panasonic's dedicated SD formatter so I will bin that one.

Thanks for the hints as well as those script files that I have saved for future use.