[virusinfo] W32/Rbot-AFP

• From: "Mike" <mikebike@xxxxxxxxx>
• To: virusinfo@xxxxxxxxxxxxx
• Date: Fri, 17 Jun 2005 08:32:21 -0700

From; Sophos Alert System:

Name: W32/Rbot-AFP
Aliases: W32/Sdbot.worm.gen.bg,  Backdoor.Win32.Rbot.pj, WORM_RBOT.BOD,
W32.Spybot.Worm
Type: Win32 worm
Date: 17 June 2005

Sophos has issued protection for W32/Rbot-AFP.

At the time of writing, Sophos has received no reports from
users affected by this worm. However, we have issued this
advisory following enquiries to our support department from
customers.

Customers using EM Library, Enterprise Console, PureMessage or
any of our Sophos small business solutions will be automatically
protected at their next scheduled update.


Information about W32/Rbot-AFP can be found at:
http://www.sophos.com/virusinfo/analyses/w32rbotafp.html

W32/Rbot-AFP is a worm and IRC backdoor Trojan for the Windows platform. 
W32/Rbot-AFP runs continuously in the background, providing a backdoor server 
which allows a remote intruder to gain access to and control over the computer 
via IRC channels. 
W32/Rbot-AFP spreads to network computers protected by weak passwords and 
through the following software vulnerabilities: 
LSASS and IIS5SSL (MS04-011)
RPC-DCOM (MS04-012)
weak administrator accounts on Microsoft SQL servers 
When first run W32/Rbot-AFP copies itself to <System>\wintnask32.exe and sets 
the following registry entries to run itself on startup: 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
wintnask32.exe
wintnask32.exe 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
wintnask32.exe
wintnask32.exe 
The following registry entries are also set: 
HKCU\Software\Microsoft\OLE
wintnask32.exe
wintnask32.exe 
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N 
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1 
The following patches for the operating system vulnerabilities exploited by 
W32/Rbot-AFP can be obtained from the Microsoft website: 
MS04-011
MS04-012 
 

The W32/Rbot-AFP virus identity file (IDE) includes detection for:


Troj/Feutel-I
http://www.sophos.com/virusinfo/analyses/trojfeuteli.html
Troj/ServU-AX
http://www.sophos.com/virusinfo/analyses/trojservuax.html
Troj/Klutz-A
http://www.sophos.com/virusinfo/analyses/trojklutza.html
Troj/Slanret-B
http://www.sophos.com/virusinfo/analyses/trojslanretb.html

Customers with 3.xx or lower versions of Sophos Anti-Virus, 
who are not running EM Library, can manually download the IDE
for W32/Rbot-AFP from:

http://www.sophos.com/downloads/ide/rbot-afp.ide

Read about how to use IDE files at
http://www.sophos.com/support/knowledgebase/article/363.html


*********** MIKE"S REPLY SEPARATOR  ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages  http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance  and OWTA Charter Member 

Other related posts:

• » [virusinfo] W32/Rbot-AFP

1. Home
2. virusinfo
3. Archive
4. 06-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---