From; Sophos Alert System: Name: W32/Nackbot-D Aliases: Backdoor.Agobot.jy, W32.Randex.gen Type: Win32 worm Date: 5 April 2004 A virus identity (IDE) file which provides protection is available now from the Sophos website, and will be incorporated into the May 2004 (3.81) release of Sophos Anti-Virus. Enterprise Manager and PureMessage customers will be automatically protected at their next scheduled update. At the time of writing, Sophos has received just one report of this worm from the wild. Information about W32/Nackbot-D can be found at: http://www.sophos.com/virusinfo/analyses/w32nackbotd.html Description W32/Nackbot-D is a peer-to-peer (P2P) worm which spreads via shared folders and has IRC backdoor functionality. When run the worm copies itself to the Windows System (or System32) folder as the file MSCLOCK.EXE. To ensure that the worm is run each time Windows is started W32/Nackbot-D creates the registry entries: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ Microsoft Digital Clock = msclock.exe HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\ Microsoft Digital Clock = msclock.exe W32/Nackbot-D attempts to spread to randomly chosen IP addresses. The worm attempts to access the C$, D$, E$ and Admin$ shares of the target computer using a list of passwords contained within the worm. The worm then copies itself to the Windows System (or System32) folder on the target computer as MSCLOCK.EXE. W32/Nackbot-D contains backdoor components which can be controlled by a remote attacker via IRC. The backdoor functions include the ability to launch a distributed denial-of-service attack (DDoS). W32/Nackbot-D searches for the following virus, anti-virus and security-related processes and terminates them if they are running: _AVP32.EXE _AVPCC.EXE _AVPM.EXE ACKWIN32.EXE ADVXDWIN.EXE ALERTSVC.EXE amon.exe ANTI-TROJAN.EXE ANTITROJAN.EXE ANTS.EXE APVXDWIN.EXE AUTODOWN.EXE AVCONSOL.EXE AVE32.EXE AVGCTRL.EXE AVKSERV.EXE AVNT.EXE AVP.EXE AVP32.EXE AVPCC.EXE AVPDOS32.EXE AVPM.EXE AVPTC32.EXE AVPUPD.EXE AVSCHED32.EXE AVWIN95.EXE AVWUPD32.EXE BLACKD.EXE BLACKICE.EXE bot.exe CCAPP.EXE CCEVTMGR.EXE CCPXYSVC.EXE CFIADMIN.EXE CFIAUDIT.EXE CFINET.EXE CFINET32.EXE CLAW95.EXE CLAW95CF.EXE CLEANER.EXE CLEANER3.EXE COMMVIEW.EXE COMMVIEW32.EXE CONNECTIONMONITOR.EXE CPD.EXE CPDCLNT.EXE dcomx.exe DEFWATCH.EXE DFW.EXE drweb.exe Drweb32w.exe drweb386.exe Drwebupw.exe Drwebwcl.exe DUMP.EXE DUMP1.EXE DUMPED.EXE DUMPED1.EXE DVP95.EXE DVP95_0.EXE ECENGINE.EXE EETHERCAP.EXE EETHERCAP32.EXE enbiei.exe ESAFE.EXE ESPWATCH.EXE ETHERCAP.EXE ETHERCAP32.EXE EXPLORER32.EXE F-AGNT95.EXE F-PROT.EXE F-PROT95.EXE F-STOPW.EXE FINDVIRU.EXE FP-WIN.EXE FPROT.EXE FRW.EXE GUARDDOG.EXE IAMAPP.EXE IAMSERV.EXE IBMASN.EXE IBMAVSP.EXE ICLOAD95.EXE ICLOADNT.EXE ICMON.EXE ICSUPP95.EXE ICSUPPNT.EXE IFACE.EXE index.exe IOMON98.EXE IRIS.EXE JEDI.EXE KILL.EXE KILLER.EXE KPF4GUI.EXE KPF4SS.EXE LDNETMON.EXE LOCKDOWN.EXE LOCKDOWN2000.EXE lolx.exe LOOKOUT.EXE LordPE.EXE LordPE32.EXE LUALL.EXE MINILOG.EXE MOOLIVE.EXE MPFTRAY.EXE MSBLAST.EXE MSCONFIG.EXE mslaugh.exe mspatch.exe N32SCANW.EXE NAVAPSVC.EXE NAVAPW32.EXE NAVLU32.EXE NAVNT.EXE NAVW32.EXE NAVWNT.EXE NDD32.EXE NETSTAT.EXE NETUTILS.EXE NISSERV.EXE NISUM.EXE NMAIN.EXE nod.exe nod32.exe NORMIST.EXE NPROTECT.EXE NPSSVC.EXE NTVDM.EXE NUPGRADE.EXE NVC95.EXE NVSVC32.EXE NWTOOL16.EXE OUTPOST.EXE PADMIN.EXE PAVCL.EXE PAVSCHED.EXE PAVW.EXE PCCWIN98.EXE PCFWALLICON.EXE penis32.exe PERSFW.EXE PM.exe POPROXY.EXE PORTMONITOR.EXE PRKILLER.EXE PROCDUMP.EXE PROCDUMP32.EXE PS.EXE PSKILL.EXE PSLIST.EXE RAV7.EXE RAV7WIN.EXE REGEDIT.EXE RESCUE.EXE root32.exe rpc.exe rpctest.exe RTVSCN95.EXE RUNDDL31.EXE SAFEWEB.EXE SCAN32.EXE SCAN95.EXE SCANPM.EXE SCRSCAN.EXE scvhost.exe SERV95.EXE SMC.EXE SPHINX.EXE spider.exe Spiderml.exe spidernt.exe SWEEP95.EXE SWNETSUP.EXE SymProxySvc.exe SYSCFG32.EXE SYSOTRAY32.EXE TASKKILL.EXE TASKLIST.EXE TASKMGR.EXE TBSCAN.EXE TC.EXE TCA.EXE TCM.EXE TCPDUMP.EXE TCPDUMP32.EXE TDS2-98.EXE TDS2-NT.EXE teekids.exe tftpd.exe VET95.EXE VETTRAY.EXE VPC32.EXE VPTRAY.EXE VSCAN40.EXE VSECOMR.EXE VSHWIN32.EXE VSMON.EXE VSSTAT.EXE WEBSCANX.EXE WFINDV32.EXE WINDRIVER.EXE WINEXEC.EXE WINHEX.EXE WINSOCK2.2.EXE worm.exe WRADMIN.EXE WRCTRL.EXE ZAPRO.EXE ZLCLIENT.EXE zlclient.exe ZONEALARM.EXE W32/Nackbot-D can also be used to steal the Windows Product ID and the CD keys from several computer games including: Half-Life Counter-Strike Unreal Tournament 2003 Unreal Tournament 2004 Project IGI 2 Battlefield 1942 Battlefield: Vietnam Battlefield 1942: Road To Rome Rainbow Six III RavenShield Neverwinter Nights Soldier of Fortune II - Double Helix Need For Speed Hot Pursuit 2 FIFA 2003 Command & Conquer: Generals Recovery Please follow the instructions for removing worms. This IDE file also includes detection for: W32/Sdbot-HC http://www.sophos.com/virusinfo/analyses/w32sdbothc.html W32/Spybot-BU http://www.sophos.com/virusinfo/analyses/w32spybotbu.html W32/Agobot-FQ http://www.sophos.com/virusinfo/analyses/w32agobotfq.html W32/Agobot-FR http://www.sophos.com/virusinfo/analyses/w32agobotfr.html Troj/StartPa-G http://www.sophos.com/virusinfo/analyses/trojstartpag.html W32/SdBot-CE http://www.sophos.com/virusinfo/analyses/w32sdbotce.html Dial/XXXDial-C http://www.sophos.com/virusinfo/analyses/dialxxxdialc.html Troj/Socks-A http://www.sophos.com/virusinfo/analyses/trojsocksa.html W32/Rbot-C http://www.sophos.com/virusinfo/analyses/w32rbotc.html Download the IDE file from: http://www.sophos.com/downloads/ide/nackbotd.ide Download all the IDE files available for the current version of Sophos Anti-Virus in a single compressed file. The file is available in two formats: Zip file: http://www.sophos.com/downloads/ide/ides.zip Self-extracting file: http://www.sophos.com/downloads/ide/ides.exe Read about how to use IDE files at http://www.sophos.com/downloads/ide/using.html --------------------------------------------------------------------- Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member