From; Sophos Alert System: Name: W32/Kassbot-F Aliases: BackDoor-CPV, Backdoor.Win32.Delf.aae Type: Win32 worm Date: 9 June 2005 Sophos has issued protection for W32/Kassbot-F. At the time of writing, Sophos has received a small number of reports of this worm from the wild. Customers using EM Library, Enterprise Console, PureMessage or any of our Sophos small business solutions will be automatically protected at their next scheduled update. Information about W32/Kassbot-F can be found at: http://www.sophos.com/virusinfo/analyses/w32kassbotf.html W32/Kassbot-F is a network worm with backdoor functionality for the Windows platform. W32/Kassbot-F runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer. W32/Kassbot-F includes functionality to access the internet and communicate with a remote server via HTTP. When first run W32/Kassbot-F copies itself to <Windows system folder>\spools.exe and creates the file <Windows system folder>\xbccd.log. The following registry entry is created to run spools.exe on startup: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Spools Service Controller <Windows system folder>\spools.exe W32/Kassbot-F will send an email to a pre-defined email address containing system information from the infected computer. W32/Kassbot-F will monitor a user's internet access. When certain internet banking and finance sites are accessed, the worm will redirect the user to a Russian website with fake login pages or email the stolen details to a pre-specified email address. The banking sites include the following: Bank One Australia Barclays Citibank EzyBank Halifax HSBC LloydsTSB NatWest NetBank W32/Kassbot-F will attempt to spread by exploiting the LSASS exploits. The following patches for the operating system vulnerabilities exploited by W32/Kassbot-F can be obtained from the Microsoft website: MS04-011 W32/Kassbot-F will append the following lines to the HOSTS file in an attempt toblock access to anti-virus related websites: 17.145.117.11 d-eu-1f.kaspersky-labs.com 17.145.117.11 d-eu-1h.kaspersky-labs.com 17.145.117.11 d-eu-2f.kaspersky-labs.com 17.145.117.11 d-eu-2h.kaspersky-labs.com 17.145.117.11 d-ru-1f.kaspersky-labs.com 17.145.117.11 d-ru-1h.kaspersky-labs.com 17.145.117.11 d-ru-2f.kaspersky-labs.com 17.145.117.11 d-ru-2h.kaspersky-labs.com 17.145.117.11 d-us-1f.kaspersky-labs.com 17.145.117.11 d-us-1h.kaspersky-labs.com 17.145.117.11 downloads1.kaspersky.ru 17.145.117.11 downloads2.kaspersky.ru 17.145.117.11 downloads3.kaspersky.ru 17.145.117.11 downloads4.kaspersky.ru 17.145.117.11 downloads5.kaspersky.ru 17.145.117.11 kaspersky-labs.com 17.145.117.11 kaspersky.ru 17.145.117.11 www.kaspersky-labs.com 17.145.117.11 www.kaspersky.ru The W32/Kassbot-F virus identity file (IDE) includes detection for: W32/Rbot-AEZ http://www.sophos.com/virusinfo/analyses/w32rbotaez.html W32/Nanpy-C http://www.sophos.com/virusinfo/analyses/w32nanpyc.html Troj/StartPa-GU http://www.sophos.com/virusinfo/analyses/trojstartpagu.html W32/Nanpy-D http://www.sophos.com/virusinfo/analyses/w32nanpyd.html Troj/ServU-AW http://www.sophos.com/virusinfo/analyses/trojservuaw.html Troj/Dloader-YY http://www.sophos.com/virusinfo/analyses/trojdloaderyy.html Customers with 3.xx or lower versions of Sophos Anti-Virus, who are not running EM Library, can manually download the IDE for W32/Kassbot-F from: http://www.sophos.com/downloads/ide/kassbo-f.ide Read about how to use IDE files at http://www.sophos.com/support/knowledgebase/article/363.html *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member