From; Sophos Alert System: Name: W32/Codbot-AG Aliases: WORM_SDBOT.BLH, Backdoor.Win32.Codbot.ag, W32.Toxbot Type: Win32 worm Date: 28 June 2005 Sophos has issued protection for W32/Codbot-AG. At the time of writing, Sophos has received a small number of reports of this worm from the wild. Customers using EM Library, Enterprise Console, PureMessage or any of our Sophos small business solutions will be automatically protected at their next scheduled update. Information about W32/Codbot-AG can be found at: http://www.sophos.com/virusinfo/analyses/w32codbotag.html W32/Codbot-AG is a network worm with backdoor functionality for the Windows platform. W32/Codbot-AG can spread to remote network shares protected by weak passwords and to computers vulnerable to common exploits, including the RPC-DCOM, LSASS and MSSQL vulnerabilities. The following patches for the operating system vulnerabilities exploited by W32/Codbot-AG can be obtained from the Microsoft website: MS02-039 MS04-011 MS04-012 W32/Codbot-AG can be controlled by a remote attacker via the IRC network. The attacker can issue commands to download and run further malicious code, steal passwords and system information and sniff packets from the local network. W32/Codbot-AG copies itself to the Windows system folder with the filename dhcpclient.exe. On NT-based versions of Windows (NT,2000,XP) the worm registers itself as a service process named Ulead Service with a displayname of DHCP Client and a start-type of automatic so that the worm is run on computer login. Registry entries are created under: HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DHCP_CLIENT <several entries> HKLM\SYSTEM\CurrentControlSet\Services\DHCP Client <several entries> W32/Codbot-AG also creates the following registry entries in order to run as a service process in safe mode: HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\DHCP Client (default) Service HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\DHCP Client (default) Service The W32/Codbot-AG virus identity file (IDE) includes detection for: WM97/Esele-A http://www.sophos.com/virusinfo/analyses/wm97eselea.html Troj/Capedown-A http://www.sophos.com/virusinfo/analyses/trojcapedowna.html Troj/Banito-F http://www.sophos.com/virusinfo/analyses/trojbanitof.html Troj/Lofler-A http://www.sophos.com/virusinfo/analyses/trojloflera.html Troj/Siggy-A http://www.sophos.com/virusinfo/analyses/trojsiggya.html Troj/BeastDo-Y http://www.sophos.com/virusinfo/analyses/trojbeastdoy.html Troj/Webdrop-A http://www.sophos.com/virusinfo/analyses/trojwebdropa.html Troj/Dumaru-H http://www.sophos.com/virusinfo/analyses/trojdumaruh.html Troj/Small-EM http://www.sophos.com/virusinfo/analyses/trojsmallem.html Troj/Divo-A http://www.sophos.com/virusinfo/analyses/trojdivoa.html Customers with 3.xx or lower versions of Sophos Anti-Virus, who are not running EM Library, can manually download the IDE for W32/Codbot-AG from: http://www.sophos.com/downloads/ide/codbo-ag.ide Read about how to use IDE files at http://www.sophos.com/support/knowledgebase/article/363.html *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member