Warning: Sdra64.exe

In a few last days my PC was infected twice with sdra64.exe and got no protection from BDIS 2009.


Infections occured while browsing some internet sites, and there was no response of BDIS.


I had to clean my system manually with emergency boot DVD, because there's no way to delete sdra64.exe from /system32 directory.


the trojan virus also writes new entry to the registry:


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe


When you attempt to modify this entry to default:


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\C:\WINDOWS\system32\userinit.exe


the last part reappears in a couple of seconds


This trojan virus is dangerous since it steals passwords you type in a browser.


If you google "sdra64.exe", you'll find more info and problems it might cause.


But the real point is that BDIS 2009 doesn't protect from this threat.


Also when you scan infected system, BDIS doesn't alert about present trojan virus.


BD team, do something... :ph34r:

Comments

  • Hello Viscon ,


    Please tell us what websites did you visit when you got this infection so that we can reproduce this sittuation and add a proper signature for this malware.


    Thank you .

  • most likely it happened when i got redirected from false emails prompting to check or change pass/logins to ebay and paypal.


    of course both sites, ebay and paypal were not genuine which i discovered right away and didn't fill any forms there.


    i visited more sites in those two fatal sessions but nothing suspicious.


    that's all i can say now because i deleted all history and temporary files as well as those emails.


    i should have kept sdra64.exe file maybe but it's gone too.

  • i forgot to add that the trojan also creates a new folder "lowsec" in sys32 directory.


    you can't remove this folder from withing windows either.


    inside "lowsec" folder there are two files: local.ds (2.747 bytes) and user.ds (0 bytes).

  • Hello Viscon,


    Please archive and upload this file on :http://www.sendspace.com/ and post here the download link .


    Thank you .

  • Viscon
    edited July 2009

    Well, as I said already I don't have that file anymore.


    Deleted it from within Winternals BootDisk, and it's gone now.


    However, I've discovered another another reg entries it most likely produced:


    HKEY_USERS\.DEFAULT\Software\Microsoft\Protected Storage System Provider


    HKEY_USERS\S-1-5-19\Software\Microsoft\Protected Storage System Provider


    HKEY_USERS\S-1-5-18\Software\Microsoft\Protected Storage System Provider


    HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{19127AD2-394B-70F5-C650-B97867BAA1F7} HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}


    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows nt\currentversion\network\uid = PCname_(some numbers)


    that's all I can provide atm.

  • ok, i got it again so i could upload sdra64.exe here:


    http://www.sendspace.com/file/lwms07


    please do something

  • Hello Viscon ,


    Thank you for the sample. We have forward it to my colleagues from the Virus Analysis team and we will contact you as soon as the analysis is complete.


    Thank you .