Warning: Sdra64.exe

Viscon

In a few last days my PC was infected twice with sdra64.exe and got no protection from BDIS 2009.

Infections occured while browsing some internet sites, and there was no response of BDIS.

I had to clean my system manually with emergency boot DVD, because there's no way to delete sdra64.exe from /system32 directory.

the trojan virus also writes new entry to the registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe

When you attempt to modify this entry to default:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\C:\WINDOWS\system32\userinit.exe

the last part reappears in a couple of seconds

This trojan virus is dangerous since it steals passwords you type in a browser.

If you google "sdra64.exe", you'll find more info and problems it might cause.

But the real point is that BDIS 2009 doesn't protect from this threat.

Also when you scan infected system, BDIS doesn't alert about present trojan virus.

BD team, do something...

Alex Stanciu

Hello Viscon ,

Please tell us what websites did you visit when you got this infection so that we can reproduce this sittuation and add a proper signature for this malware.

Thank you .

Viscon

most likely it happened when i got redirected from false emails prompting to check or change pass/logins to ebay and paypal.

of course both sites, ebay and paypal were not genuine which i discovered right away and didn't fill any forms there.

i visited more sites in those two fatal sessions but nothing suspicious.

that's all i can say now because i deleted all history and temporary files as well as those emails.

i should have kept sdra64.exe file maybe but it's gone too.

Viscon

i forgot to add that the trojan also creates a new folder "lowsec" in sys32 directory.

you can't remove this folder from withing windows either.

inside "lowsec" folder there are two files: local.ds (2.747 bytes) and user.ds (0 bytes).

Alex Stanciu

Hello Viscon,

Please archive and upload this file on :http://www.sendspace.com/ and post here the download link .

Thank you .

Viscon

Well, as I said already I don't have that file anymore.

Deleted it from within Winternals BootDisk, and it's gone now.

However, I've discovered another another reg entries it most likely produced:

HKEY_USERS\.DEFAULT\Software\Microsoft\Protected Storage System Provider

HKEY_USERS\S-1-5-19\Software\Microsoft\Protected Storage System Provider

HKEY_USERS\S-1-5-18\Software\Microsoft\Protected Storage System Provider

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{19127AD2-394B-70F5-C650-B97867BAA1F7} HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows nt\currentversion\network\uid = PCname_(some numbers)

that's all I can provide atm.

Viscon

ok, i got it again so i could upload sdra64.exe here:

http://www.sendspace.com/file/lwms07

please do something

Alex Stanciu

Hello Viscon ,

Thank you for the sample. We have forward it to my colleagues from the Virus Analysis team and we will contact you as soon as the analysis is complete.

Thank you .