dropspam lifestyle and a Sdbot

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Was at bro's house celebrating Mother's Day and he mentions he can't
update ZA because it says he has some process running.   Knowing he
installed most of SBC/AT&T bloat-ware I go to check things out.
First thing I notice his taskbar has quite a few icons so I check some
out.   Run across something called dropspam lifestyle.   Ask him about
it and he says he has a spam blocker, but not sure what it is.
*right*.   Before I get rid of it I check out his W2K updates.   Only
needs 46 of them.   He *claims* he can't do updates.    An hour or so
later, all 46 updates are complete.   Run a hijack this to see the
entries for the dropspam and see that the file \WINNT\ms-dos.pif is
being flagged with a SDbot variant.   Oh lovely - his antivirus def's
are up to date, but I forget what SBC uses.    Send the file to
virustotal, results below.    Never did get to check out ZA, by the
time I got his computer cleaned I was out of there.

AhnLab-V3    2007.5.10.0    05.14.2007    no virus found
AntiVir    05.14.2007    Worm/SDBot.113065
Authentium    4.93.8    05.12.2007    could be a corrupted executable file
Avast    4.7.997.0    05.13.2007    Win32:Rbot-AIV
AVG    05.13.2007    Win32/CryptExe
BitDefender    7.2    05.14.2007    Backdoor.SDBot.DEOG.dam
CAT-QuickHeal    9.00    05.14.2007    (Suspicious) - DNAScan
ClamAV    devel-20070416    05.14.2007    no virus found
DrWeb    4.33    05.14.2007    BackDoor.IRC.Sdbot.150
eSafe    05.13.2007    Win32.Rbot.2d40
eTrust-Vet    30.7.3632    05.14.2007    no virus found
Ewido    4.0    05.14.2007    no virus found
FileAdvisor    1    05.14.2007    no virus found
Fortinet    05.14.2007    suspicious
F-Prot    05.12.2007    no virus found
F-Secure    6.70.13030.0    05.14.2007    Packed.Win32.CryptExe
Ikarus    T3.1.1.7    05.14.2007    Backdoor.SdBot.DEOG.dam
Kaspersky    05.14.2007    Packed.Win32.CryptExe
McAfee    5029    05.11.2007    W32/Sdbot.worm.gen.ax
Microsoft    1.2503    05.14.2007    Backdoor:Win32/Rbot!6AE7.dam#4
NOD32v2    2264    05.14.2007    no virus found
Norman    5.80.02    05.11.2007    W32/Spybot.SOW
Panda    05.14.2007    W32/Sdbot.EXG.worm
Prevx1    V2    05.14.2007    no virus found
Sophos    4.17.0    05.11.2007    no virus found
Sunbelt    2.2.907.0    05.12.2007    VIPRE.Suspicious
Symantec    10    05.14.2007    W32.Spybot.Worm
TheHacker    05.12.2007    no virus found
VBA32    3.12.0    05.13.2007    no virus found
VirusBuster    4.3.7:9    05.13.2007    no virus found
Webwasher-Gateway    6.0.1    05.14.2007    Worm.SDBot.113065

Site Timeline