[virusinfo] W32/Rbot-AFB
- From: "Mike" <mikebike@xxxxxxxxx>
- To: virusinfo@xxxxxxxxxxxxx
- Date: Fri, 10 Jun 2005 10:54:11 -0700
From; Sophos Alert System:
Name: W32/Rbot-AFB
Type: Win32 worm
Date: 10 June 2005
Sophos has issued protection for W32/Rbot-AFB.
At the time of writing, Sophos has received a small number of
reports of this worm from the wild.
Customers using EM Library, Enterprise Console, PureMessage or
any of our Sophos small business solutions will be automatically
protected at their next scheduled update.
Information about W32/Rbot-AFB can be found at:
http://www.sophos.com/virusinfo/analyses/w32rbotafb.html
W32/Rbot-AFB is a worm and IRC backdoor Trojan for the Windows platform.
W32/Rbot-AFB spreads:
via IRC channels under a remote intruder's commands
to other network computers infected with W32/MyDoom and W32/Bagle
to other network computers by exploiting common buffer overflow vulnerabilites,
including LSASS (MS04-011), RPC-DCOM (MS04-012) and WebDav (MS03-007)
by copying itself to network shares protected by weak passwords
W32/Rbot-AFB runs continuously in the background, providing a backdoor server
which allows a remote intruder to gain access and control over the computer via
IRC channels.
W32/Rbot-AFB includes functionality to:
capture keystrokes
steal confidential information and game keys
carry out DDoS flooder attacks
provide a proxy server
silently download, install and run new software
When first run W32/Rbot-AFB moves itself to a read-only, hidden, system file
<System>\Sygate.exe.
The following registry entries are created to run <System>\Sygate.exe on
startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sygate Personal Firewall
Sygate.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Sygate Personal Firewall
Sygate.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sygate Personal Firewall
Sygate.exe
The following patches for the operating system vulnerabilities exploited by
W32/Rbot-AFB can be obtained from the Microsoft website:
LSASS (MS04-011) security vulnerability
RPC-DCOM (MS04-012) security vulnerability
WebDav (MS03-007) security vulnerability
The W32/Rbot-AFB virus identity file (IDE) includes detection for:
Troj/Agent-DX
http://www.sophos.com/virusinfo/analyses/trojagentdx.html
Troj/Dload-OP
http://www.sophos.com/virusinfo/analyses/trojdloadop.html
W32/Rbot-AFD
http://www.sophos.com/virusinfo/analyses/w32rbotafd.html
W32/Rbot-AFF
http://www.sophos.com/virusinfo/analyses/w32rbotaff.html
W32/Rbot-AFG
http://www.sophos.com/virusinfo/analyses/w32rbotafg.html
Customers with 3.xx or lower versions of Sophos Anti-Virus,
who are not running EM Library, can manually download the IDE
for W32/Rbot-AFB from:
http://www.sophos.com/downloads/ide/rbot-afb.ide
Read about how to use IDE files at
http://www.sophos.com/support/knowledgebase/article/363.html
*********** MIKE"S REPLY SEPARATOR ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance and OWTA Charter Member
Other related posts:
- » [virusinfo] W32/Rbot-AFB
