From; Sophos Alert System: Name: Troj/Puppet-A Aliases: Backdoor-CSR Type: Trojan Date: 8 June 2005 Sophos has issued protection for Troj/Puppet-A. At the time of writing, Sophos has received a small number of reports of this Trojan from the wild. Customers using EM Library, Enterprise Console, PureMessage or any of our Sophos small business solutions will be automatically protected at their next scheduled update. Information about Troj/Puppet-A can be found at: http://www.sophos.com/virusinfo/analyses/trojpuppeta.html Troj/Puppet-A is a Trojan for the Windows platform. The Trojan connects to a preconfigured IRC server and joins a channel in which it can await further instructions. These instructions can cause the Trojan to join other channels and send messages to other users. When Troj/Puppet-A is installed the following files are created: <Windows system folder>\boot.exe (detected as Troj/Puppet-A) <Windows system folder>\rtl60.bpl (clean) The following registry entries are created to run boot.exe on startup: HKCU\Software\Microsoft\Windows\CurrentVersion\Run boot <Windows system folder>\boot.exe HKLM\Software\Microsoft\Windows\CurrentVersion\Run boot <Windows system folder>\boot.exe During installation, Troj/Puppet-A displays the following error messages: Caption: Hype 1.02 Setup Message: vml60.bvl not found! Caption: Hype 1.02 Setup Message: Installation aborted! The Troj/Puppet-A virus identity file (IDE) includes detection for: Troj/Bifrose-AL http://www.sophos.com/virusinfo/analyses/trojbifroseal.html Troj/Goldun-W http://www.sophos.com/virusinfo/analyses/trojgoldunw.html Troj/Bancban-DE http://www.sophos.com/virusinfo/analyses/trojbancbande.html Troj/LowZone-AI http://www.sophos.com/virusinfo/analyses/trojlowzoneai.html Troj/Dermon-B http://www.sophos.com/virusinfo/analyses/trojdermonb.html Troj/Borobot-B http://www.sophos.com/virusinfo/analyses/trojborobotb.html W32/Rbot-AEX http://www.sophos.com/virusinfo/analyses/w32rbotaex.html Customers with 3.xx or lower versions of Sophos Anti-Virus, who are not running EM Library, can manually download the IDE for Troj/Puppet-A from: http://www.sophos.com/downloads/ide/puppet-a.ide Read about how to use IDE files at http://www.sophos.com/support/knowledgebase/article/363.html *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member
