Well, Im finally getting a widespread infection of SDBot under control here at work. Spreading via various DCOM and RPC exploits, SDBot caught us completely off guard, as we were used to email viruses instead (we still get ILOVEYOU.vbs opened every now and then).
Partly, it was our fault for not keeping our Win2K/XP machines up to date. We figured they are all behind the firewall, so nothing on port 445, 5000, or whatever it uses can get in. This overlooked the fact that someone might (against company policy) bring in a home PC and plug it into the network (which is probably how this got in).
To clean each system takes about 2 hours, which consists of installing SP2 (SP4 + an RPC patch on Win2K), resetting all Internet Explorer settings, and running SpyBot and AdAware on the system (because this variant drops about 6 different spyware programs). It is a royal pain in the ass. The person who wrote such a beast must be subjected to horrendous pain and torture by my hand.
(copied from my Slashdot posting)
W64.RugRat.3344 has been released as a proof of concept virus. It is the first virus which will only run on Windows on the IA64 platform, and uses APIs from 3 native DLLs to avoid crashing applications. It infects files that are in the same folder as the virus and in all subfolders. The author of the virus has also written other concept viruses* in the past.
* Corrected from virii, which people were nitpicking over on /.
W32.Cone is now at version D. Its another one of your typical spoof from address, harvest emails, and spread virus. Some messages that it generates actually admit to this though:
The attachment is a virus do not open it.
I write it to say : we dont want islamic republic in IRAN!
Im realy sorry, Im damaging some computers that I dont want to damage!!!!
Remember to patch your Norton/McAfee/AVG/ClamAV against this and the daily release of NetSky.
If you use AIM, you might have started getting some messages along the lines of “check this out … http://www.wgutv.com/osama_capture.php” from someone who has you on their buddy list. The link will take you to what looks like an official news page with a story about Osama being captured, that asks you to download a player for it.
The player is actually spyware which will pull your AIM buddy list and start spamming everyone on it with that same link. If you read the disclaimer text (the 1pt font in light gray on a white background) it does say its a false story, and the spyware is part of a game.
The parent company is BuddyLinks. This is possibly the most disgusting piece of spyware/spam Ive ever come across, and is an insult to all those who lost loved ones on 9/11.