From; Sophos Alert System: Name: Troj/Proxy-M Type: Trojan Date: 25 June 2005 Sophos has issued protection for Troj/Proxy-M. At the time of writing, Sophos has received a small number of reports of this Trojan from the wild. Customers using EM Library, Enterprise Console, PureMessage or any of our Sophos small business solutions will be automatically protected at their next scheduled update. Information about Troj/Proxy-M can be found at: http://www.sophos.com/virusinfo/analyses/trojproxym.html Troj/Proxy-M is a proxy server Trojan. The proxy server runs continuously in the background listening on a pre-configured port and allows data to be routed through the computer. The proxy may be used to forward spam. Troj/Proxy-M may be installed by opening a malicious document that exploits the "CAN-2003-0820 Word Buffer Overrun Vulnerability" associated with Microsoft Word (see Microsoft Security Bulletin MS03-050). The malicious document contains an encrypted form of Troj/Proxy-M and a macro. When the document is opened with a vulnerable version of Microsoft Word, the macro will execute (regardless of security settings) and will drop and run Troj/Proxy-M. When Troj/Proxy-M is first run it copies itself to <Windows>\csrss.exe and creates the file <System>\mslogsvr.ini. The following registry entry is created to run csrss.exe on startup: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell Explorer.exe <Windows>\csrss.exe Alternatively Troj/Proxy-M may run itself on startup by adding the pathname of csrss.exe to the 'shell=' line in the [boot] section of System.ini, or to one of the following registry entries: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\LogService HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\LogService HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\LogService The Troj/Proxy-M virus identity file (IDE) includes detection for: Troj/Haxdoor-AA http://www.sophos.com/virusinfo/analyses/trojhaxdooraa.html Troj/Haxdoor-AF http://www.sophos.com/virusinfo/analyses/trojhaxdooraf.html W32/Rbot-AGL http://www.sophos.com/virusinfo/analyses/w32rbotagl.html Customers with 3.xx or lower versions of Sophos Anti-Virus, who are not running EM Library, can manually download the IDE for Troj/Proxy-M from: http://www.sophos.com/downloads/ide/proxy-m.ide Read about how to use IDE files at http://www.sophos.com/support/knowledgebase/article/363.html *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member