From; Sophos Alert System: Name: W32/Rbot-AFB Type: Win32 worm Date: 10 June 2005 Sophos has issued protection for W32/Rbot-AFB. At the time of writing, Sophos has received a small number of reports of this worm from the wild. Customers using EM Library, Enterprise Console, PureMessage or any of our Sophos small business solutions will be automatically protected at their next scheduled update. Information about W32/Rbot-AFB can be found at: http://www.sophos.com/virusinfo/analyses/w32rbotafb.html W32/Rbot-AFB is a worm and IRC backdoor Trojan for the Windows platform. W32/Rbot-AFB spreads: via IRC channels under a remote intruder's commands to other network computers infected with W32/MyDoom and W32/Bagle to other network computers by exploiting common buffer overflow vulnerabilites, including LSASS (MS04-011), RPC-DCOM (MS04-012) and WebDav (MS03-007) by copying itself to network shares protected by weak passwords W32/Rbot-AFB runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels. W32/Rbot-AFB includes functionality to: capture keystrokes steal confidential information and game keys carry out DDoS flooder attacks provide a proxy server silently download, install and run new software When first run W32/Rbot-AFB moves itself to a read-only, hidden, system file <System>\Sygate.exe. The following registry entries are created to run <System>\Sygate.exe on startup: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Sygate Personal Firewall Sygate.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices Sygate Personal Firewall Sygate.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Run Sygate Personal Firewall Sygate.exe The following patches for the operating system vulnerabilities exploited by W32/Rbot-AFB can be obtained from the Microsoft website: LSASS (MS04-011) security vulnerability RPC-DCOM (MS04-012) security vulnerability WebDav (MS03-007) security vulnerability The W32/Rbot-AFB virus identity file (IDE) includes detection for: Troj/Agent-DX http://www.sophos.com/virusinfo/analyses/trojagentdx.html Troj/Dload-OP http://www.sophos.com/virusinfo/analyses/trojdloadop.html W32/Rbot-AFD http://www.sophos.com/virusinfo/analyses/w32rbotafd.html W32/Rbot-AFF http://www.sophos.com/virusinfo/analyses/w32rbotaff.html W32/Rbot-AFG http://www.sophos.com/virusinfo/analyses/w32rbotafg.html Customers with 3.xx or lower versions of Sophos Anti-Virus, who are not running EM Library, can manually download the IDE for W32/Rbot-AFB from: http://www.sophos.com/downloads/ide/rbot-afb.ide Read about how to use IDE files at http://www.sophos.com/support/knowledgebase/article/363.html *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member