From; Sophos Alert System: Name: W32/Codbot-L Aliases: Backdoor.Win32.Codbot.ae Type: Win32 worm Date: 15 June 2005 Sophos has issued protection for W32/Codbot-L. At the time of writing, Sophos has received a small number of reports of this worm from the wild. Customers using EM Library, Enterprise Console, PureMessage or any of our Sophos small business solutions will be automatically protected at their next scheduled update. Information about W32/Codbot-L can be found at: http://www.sophos.com/virusinfo/analyses/w32codbotl.html W32/Codbot-L is a worm with backdoor functionality for the Windows platform. W32/Codbot-L can spread to weakly protected network shares, weakly protected Micrsoft SQL servers, and to computers vulnerable to the RPC-DCOM exploit. The following patches for the operating system vulnerabilities exploited by W32/Codbot-L can be obtained from the Microsoft website: MS04-012 W32/Codbot-L runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels. The intruder can issue commands to download and run further malicious code, steal passwords and system information and sniff packets from the local network. When first run W32/Codbot-L copies itself to <Windows system folder>\rpcclient.exe. W32/Codbot-L is registered as a new system driver service named "RpcClient", with a display name of "Remote Procedure Call (RPC) Client" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under: HKLM\SYSTEM\CurrentControlSet\Services\RpcClient\ Registry entries are set as follows: HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings ProxyEnable 1 HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings ProxyEnable 1 The W32/Codbot-L virus identity file (IDE) includes detection for: Troj/Orse-D http://www.sophos.com/virusinfo/analyses/trojorsed.html Troj/LowZone-AO http://www.sophos.com/virusinfo/analyses/trojlowzoneao.html Troj/Bancos-CZ http://www.sophos.com/virusinfo/analyses/trojbancoscz.html Troj/Juntador-D http://www.sophos.com/virusinfo/analyses/trojjuntadord.html Troj/Juntador-E http://www.sophos.com/virusinfo/analyses/trojjuntadore.html W32/Rbot-AFJ http://www.sophos.com/virusinfo/analyses/w32rbotafj.html Dial/GBDial-B http://www.sophos.com/virusinfo/analyses/dialgbdialb.html W32/LameYear-A http://www.sophos.com/virusinfo/analyses/w32lameyeara.html W32/Rbot-AFO http://www.sophos.com/virusinfo/analyses/w32rbotafo.html W32/Mytob-FD http://www.sophos.com/virusinfo/analyses/w32mytobfd.html Customers with 3.xx or lower versions of Sophos Anti-Virus, who are not running EM Library, can manually download the IDE for W32/Codbot-L from: http://www.sophos.com/downloads/ide/codbot-l.ide Read about how to use IDE files at http://www.sophos.com/support/knowledgebase/article/363.html *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member