From; Sophos Alert System: Name: W32/Rbot-AEJ Aliases: Trojan.Win32.Crypt.d Type: Win32 worm Date: 3 June 2005 Sophos has issued protection for W32/Rbot-AEJ. At the time of writing, Sophos has received a small number of reports of this worm from the wild. Customers using EM Library, Enterprise Console, PureMessage or any of our Sophos small business solutions will be automatically protected at their next scheduled update. Information about W32/Rbot-AEJ can be found at: http://www.sophos.com/virusinfo/analyses/w32rbotaej.html W32/Rbot-AEJ is a network worm with backdoor Trojan functionality for the Windows platform. The worm copies itself to a file named system.exe in the Windows system folder. W32/Rbot-AEJ spreads using a variety of techniques including exploiting weak passwords on computers and SQL servers, exploiting operating system vulnerabilities (including DCOM-RPC, LSASS, WebDAV and UPNP) and using backdoors opened by other worms or Trojans. W32/Rbot-AEJ can also be instructed to spread through the AOL Instant Messaging (AIM) application. W32/Rbot-AEJ can be controlled by a remote attacker over IRC channels. The backdoor component of W32/Rbot-AEJ can be instructed by a remote user to perform the following functions: start an FTP server start a Proxy server start a web server take part in distributed denial of service (DDoS) attacks log keypresses capture screen/webcam images packet sniffing port scanning download/execute arbitrary files start a remote shell (RLOGIN) steal product registration information from certain software Patches for the operating system vulnerabilities exploited by W32/Rbot-AEJ can be obtained from Microsoft at: MS01-059 MS03-007 MS04-011 MS04-012 The W32/Rbot-AEJ virus identity file (IDE) includes detection for: W32/Rbot-AEO http://www.sophos.com/virusinfo/analyses/w32rbotaeo.html Troj/Dloader-OG http://www.sophos.com/virusinfo/analyses/trojdloaderog.html Troj/MiniDl-A http://www.sophos.com/virusinfo/analyses/trojminidla.html Troj/Bizves-A http://www.sophos.com/virusinfo/analyses/trojbizvesa.html W32/Sdranck-G http://www.sophos.com/virusinfo/analyses/w32sdranckg.html Customers with 3.xx or lower versions of Sophos Anti-Virus, who are not running EM Library, can manually download the IDE for W32/Rbot-AEJ from: http://www.sophos.com/downloads/ide/rbot-aej.ide Read about how to use IDE files at http://www.sophos.com/support/knowledgebase/article/363.html *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member