Hey Hey:

hogfly: How is spybot any different than mydoom or sasser or anything else? It's the virus name. The worm portion as the classification.

TH13: I've been looking at this at work and we'd concluded that it was Spybot and SDBot... It may be old, but it's definately holding true to the writeups on it... Our Admins first thought that it was sasser, but when the sasser removal tools proved useless, we spent ours analyzing logs and sifting through files...

I ended up creating a half-assed workaround/fix... which I've posted @ http://www.antionline.com/showthread...hreadid=262057

It removes the questionable files and their registry entries...

I've got a few IRC Servers that they've been trying to connect to... If I get a chance tomorrow I'll dump up the information from the captures for you to glance over if you are interested.

The common link in the files we're dealing with is that they're always in system32.... they're always flooding out the lsass exploit.. but we are also seeing the rpc exploit at times.. and the names closely mimic real or seemingly-real files... The registry entry is also always a key value that seems like it's something you shouldn't touch (DirectX, Windows Update).

You can check out the batch file for more details on the specific files I've dealt with.

Peace,
HT


PS.. It's good to be posting again... Those 18-20 hours days were a real hassle.