Backdoor.SDBot has been modified more times than can be counted. I've had a number of versions of it found on my own system.
There's two places you need to check in your registry to make sure you get rid of it once it's discovered:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Remove all references to Kernel32.exe there. There should be one in each key.
Thus far, on my own computer, it's been under the names uptodo.exe and WinHelp32.exe (there were at least 7 other different copies under different names that I deleted before taking the time to jot them down.) Basically, what it comes down too is that there is NO specific name that it goes by.
The Backdoor.SDBot doesn't infect executables. It's just a simple trojan, so you won't have to worry about deleting it. If you can't disable the Kernel32.exe process in your task manager, just delete the registry keys starting it up, and reboot. Then, since it will no longer be running, just delete it.
I'm trying to isolate exactly where it came from, and I'm beginning to think that my own source for the virus is www.bootdisk.com
The virus didn't appear until I downloaded and executed an .EXE from there, and more importantly, the boot98.exe that I downloaded was the ONLY executable file that Norton was unable to scan.
To test this theory, if you're wondering where you might have gotten the virus from, check your Norton Logs and everywhere you see a "scan ommision" check the properties of it. If it's an executable, that's suspicious by itself.
Good luck everyone!
-Javin
