[virusinfo] W32/Rbot-AFN
- From: "Mike" <mikebike@xxxxxxxxx>
- To: virusinfo@xxxxxxxxxxxxx
- Date: Mon, 13 Jun 2005 12:25:57 -0700
From; Sophos Alert System:
Name: W32/Rbot-AFN
Aliases: WORM_RBOT.BCL, Backdoor.Win32.Rbot.gen, W32.Spybot.Worm
Type: Win32 worm
Date: 13 June 2005
Sophos has issued protection for W32/Rbot-AFN.
At the time of writing, Sophos has received a small number of
reports of this worm from the wild.
Customers using EM Library, Enterprise Console, PureMessage or
any of our Sophos small business solutions will be automatically
protected at their next scheduled update.
Information about W32/Rbot-AFN can be found at:
http://www.sophos.com/virusinfo/analyses/w32rbotafn.html
W32/Rbot-AFN is a network worm with backdoor functionality for the Windows
platform.
W32/Rbot-AFN may spread to remote network shares protected by weak passwords
and computers vulnerable to common exploits. The worm also opens up a backdoor,
allowing unauthorised remote access to infected computers via the IRC network,
while running in the background as a service process. The worm exploits the
following vulnerabilities: RPC-DCOM (MS04-12), LSASS (MS04-11), WebDav
(MS03-007), UPNP (MS01-059), Dameware (CAM-2003-1030) and MSSQL (MS02-039), and
backdoors opened by the following worms and Trojans: Troj/Kuang, Troj/Sub7,
Troj/NetDevil, Troj/Optix, W32/MyDoom and W32/Bagle. For patches for these
vulnerabilities, see:
MS04-011
MS04-012
MS03-007
MS01-059
MS02-039
W32/Rbot-AFN can receive commands from a remote intruder to delete network
shares, log keypresses, participate in DDoS attacks, scan other computers for
vulnerabilities, steal passwords, steal registration keys for computer games,
create administrator accounts, terminate firewall and anti-virus processes and
capture video from webcameras attached to the computer.
When first run W32/Rbot-AFN copies itself to <Windows system
folder>\winlog.exe.
The following registry entries are created to run winlog.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Login Service
winlog.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Windows Login Service
winlog.exe
Registry entries are set as follows:
HKCU\Software\Microsoft\OLE
Windows Login Service
winlog.exe
The W32/Rbot-AFN virus identity file (IDE) includes detection for:
Troj/Multidr-DN
http://www.sophos.com/virusinfo/analyses/trojmultidrdn.html
Troj/Lineage-P
http://www.sophos.com/virusinfo/analyses/trojlineagep.html
Troj/Lineage-Q
http://www.sophos.com/virusinfo/analyses/trojlineageq.html
Troj/JUSteal-A
http://www.sophos.com/virusinfo/analyses/trojjusteala.html
W32/Nopir-D
http://www.sophos.com/virusinfo/analyses/w32nopird.html
WM97/Ludeno-A
http://www.sophos.com/virusinfo/analyses/wm97ludenoa.html
Troj/Stydler-A
http://www.sophos.com/virusinfo/analyses/trojstydlera.html
Customers with 3.xx or lower versions of Sophos Anti-Virus,
who are not running EM Library, can manually download the IDE
for W32/Rbot-AFN from:
http://www.sophos.com/downloads/ide/rbot-afn.ide
Read about how to use IDE files at
http://www.sophos.com/support/knowledgebase/article/363.html
*********** MIKE"S REPLY SEPARATOR ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance and OWTA Charter Member
Other related posts:
- » [virusinfo] W32/Rbot-AFN
