Search Solo Products, Services and others Overview of the Site Design and Build a Career Contact us for customer service and other feedback info SRN Micro Privacy Statement



Process Name  : sdra64.exe

Process Path : %SYSTEM%\sdra64.exe [ C:\Windows\System32\sdra64.exe ]

Process type    : Trojan

Malware Name : Trojan.Spy.Win32.Zbot.Qfw

Alias             : Injector.CZ, Win32:Rootkit-gen, Win32/Spy.Zbot.JF, Generic.dx trojan

Threat level : Low

Process Details

                  Sdra64.exe is dropped by Trojan.Spy.Win32.Zbot.Qfw trojan. It is spammed via e-mail and it usually arrives with attachment which contains the file Delta_eTicket.exe.

The infected mail subject will be

Confirmation of ticket purchase

The infected mail message body will be

Thanks for the purchase!

Booking number: DMYT092A9W

You will find attached to this letter PASSENGER ITINERARY RECEIPT of your electronic \
ticket. It verifies that you paid the ticket in full and confirms your right for air \
travel and luggage transportation by the indicated flight Delta Air Lines.

On board you will be offered:
- beverages;
- food;
- daily press.
You are guaranteed top-quality services and attention on the part of our benevolent \

We recommend you to print PASSENGER ITINERARY RECEIPT and take it alone to the \
airport. It will help you to pass control and registration procedures faster.

See you on board!
Best regards,
Delta Air Lines

The infected mail Attachment will be

                  When the infected e-mail attachment is executed, it copies to %SYSTEM%\sdra64.exe. Then it modifies the registry to load automatically on next startup. The registry key modification is given below.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Userinit = "%System%\userinit.exe,%System%\sdra64.exe,"

                   It also download and installs serveral malicious files in the infected system. This trojan is also known as Injector.CZ, Win32:Rootkit-gen, Win32/Spy.Zbot.JF, Generic.dx trojan. Trojan.Spy.Win32.Zbot.Qfw variant appeared on 22nd March 2009.

How can I protect my system?

                   Solo has incorporated Trojan.Spy.Win32.Zbot.Qfw in its signature file to protect users from this trojan attack. Solo antivirus registered users are already protected from this trojan. Make sure that you have installed registered version of Solo Antivirus to protect your system from all virus threats.

How to remove this Trojan?

                   If you are already infected with sdra64 process, you can remove it from your computer using Solo Antivirus software. Use the following link to Download 30 day trial version of Solo antivirus to remove viruses from your computer.

                   Solo anti-virus not only scans for all viruses, it contains a unique System Integrity Checker to protect you from New Internet Worms, Backdoors and malicious VB, Java Scripts. It also effectively removes all existing Internet Worms, File viruses, malicious VB, Java scripts, Trojans, Backdoors, boot sector, partition table and macro viruses.

You can purchase Solo antivirus using the link