Backdoor.Sadmind

Backdoor.Sadmind is a backdoor worm program that may affect systems that are running unpatched versions of Microsoft IIS or unpatched versions of Solaris.

If files on a desktop computer are detected as Backdoor.Sadmind.Dr, that does not mean that there is an infection. It means that you have visited a Website whose server has been compromised by Backdoor.Sadmind, which replicates only on Solaris systems. You should delete any files detected as Backdoor.Sadmind.Dr.



CERT/CC
CERT has issued an advisory regarding sadmind-IIS:
http://www.cert.org/advisories/CA-2001-11.html

Microsoft Corporation
The following documents regarding this vulnerability are available from Microsoft:
http://www.microsoft.com/technet/security/bulletin/MS01-023.asp

Sun Microsystems
Sun has issued the following bulletin for this vulnerability:
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/191&type=0&nav=sec.sba

NOTE: The patch closes the security hole on Solaris systems that Backdoor.Sadmind uses to infect a system. Left unpatched, other malicious programs could take advantage of the same vulnerability. The best way to close the vulnerable ports is to use the security patch.

Protection

• Initial Rapid Release version May 10, 2001
• Latest Rapid Release version March 3, 2008 revision 035
• Initial Daily Certified version May 10, 2001
• Latest Daily Certified version March 3, 2008 revision 037
• Initial Weekly Certified release date pending

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Threat Assessment

Wild

• Wild Level: Low
• Number of Infections: 0 - 49
• Number of Sites: 0 - 2
• Geographical Distribution: Low
• Threat Containment: Easy
• Removal: Easy

Damage

• Damage Level: Medium

Distribution

• Distribution Level: Medium