From; Sophos Alert System: Name: Troj/Lineage-O Aliases: PWSteal.Lineage, Trojan-Downloader.Win32.Delf.nd, PWS-Lineage.dll Type: Trojan Date: 7 June 2005 Sophos has issued protection for Troj/Lineage-O. At the time of writing, Sophos has received a small number of reports of this Trojan from the wild. Customers using EM Library, Enterprise Console, PureMessage or any of our Sophos small business solutions will be automatically protected at their next scheduled update. Information about Troj/Lineage-O can be found at: http://www.sophos.com/virusinfo/analyses/trojlineageo.html Troj/Lineage-O is a password stealing Trojan for the Windows platform that attempts to steal passwords associated with the game called "Lineage" and "Lineage II". Troj/Lineage-O will copy itself to the Windows system folder as explorer.exe. Troj/Lineage-O will also create a DLL in the Windows system folder named htdll.dll (also detected as Troj/Lineage-O). Troj/Lineage-O searches for the "Lineage","Lineage Windows Client" and "Lineage II" windows in attempt to initiate a keylogging routine. Collected information is sent to a remote user via email. In order to run automatically each time a user logs on, Troj/Lineage-O sets the registry entry: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows load <Windows system folder>\explorer.exe Troj/Lineage-O will attempt to disable a number of anti-virus and security related processes and windows, including: EGHOST.EXE MAILMON.EXE KAVPFW.EXE IPARMOR.EXE RavMon.exe ZoneAlarm Troj/Lineage-O may also attempt to download and execute files from the internet. The Troj/Lineage-O virus identity file (IDE) includes detection for: Troj/StartPa-GS http://www.sophos.com/virusinfo/analyses/trojstartpags.html W32/Sdbot-ZF http://www.sophos.com/virusinfo/analyses/w32sdbotzf.html W32/Rbot-AEU http://www.sophos.com/virusinfo/analyses/w32rbotaeu.html W32/Rbot-AET http://www.sophos.com/virusinfo/analyses/w32rbotaet.html Troj/Dermon-A http://www.sophos.com/virusinfo/analyses/trojdermona.html Troj/Proxmeg-A http://www.sophos.com/virusinfo/analyses/trojproxmega.html W32/Rbot-AEW http://www.sophos.com/virusinfo/analyses/w32rbotaew.html Dial/Plygam-A http://www.sophos.com/virusinfo/analyses/dialplygama.html Customers with 3.xx or lower versions of Sophos Anti-Virus, who are not running EM Library, can manually download the IDE for Troj/Lineage-O from: http://www.sophos.com/downloads/ide/lineag-o.ide Read about how to use IDE files at http://www.sophos.com/support/knowledgebase/article/363.html *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member