From; Sophos Alert System: Name: W32/Codbot-Gen Type: Win32 worm Date: 30 June 2005 Sophos has issued protection for W32/Codbot-Gen. At the time of writing, Sophos has received a small number of reports of this worm from the wild. Customers using EM Library, Enterprise Console, PureMessage or any of our Sophos small business solutions will be automatically protected at their next scheduled update. Note: Sophos has updated this IDE to improve detection of the W32/Codbot family of worms Information about W32/Codbot-Gen can be found at: http://www.sophos.com/virusinfo/analyses/w32codbotgen.html Sophos Anti-Virus products detect members of the W32/Codbot family of worms as W32/Codbot-Gen. Worms detected as W32/Codbot-Gen provide backdoor Trojan functionality to a remote attacker via IRC channels. Such worms may spread to remote network shares with weak passwords in response to a command from a remote attacker. Members of W32/Codbot family may copy themselves to the Windows system folder and create entries in the following registry entries to run themselves when the user logs on: HKLM\Software\Microsoft\Windows\CurrentVersion\Run HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal This backdoor functionality typically includes the ability to sniff packets, download further malicious code and steal passwords and other system information. W32/Codbot worms may register themselves as service processes. Members of W32/Codbot family typically attempt to exploit vulnerabilities, such as the LSASS vulnerability (MS04-011). The W32/Codbot-Gen virus identity file (IDE) includes detection for: Troj/Borobt-Gen http://www.sophos.com/virusinfo/analyses/trojborobtgen.html Customers with 3.xx or lower versions of Sophos Anti-Virus, who are not running EM Library, can manually download the IDE for W32/Codbot-Gen from: http://www.sophos.com/downloads/ide/codbtgen.ide Read about how to use IDE files at http://www.sophos.com/support/knowledgebase/article/363.html *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member