From; Sophos Alert System: Name: W32/Rbot-AFR Type: Win32 worm Date: 20 June 2005 Sophos has issued protection for W32/Rbot-AFR. At the time of writing, Sophos has received no reports from users affected by this worm. However, we have issued this advisory following enquiries to our support department from customers. Customers using EM Library, Enterprise Console, PureMessage or any of our Sophos small business solutions will be automatically protected at their next scheduled update. Information about W32/Rbot-AFR can be found at: http://www.sophos.com/virusinfo/analyses/w32rbotafr.html W32/Rbot-AFR is a network worm and IRC backdoor Trojan for the Windows platform. W32/Rbot-AFR spreads using a variety of techniques including exploiting weak passwords on computers and exploiting operating system vulnerabilities including: WKS (MS03-049) WebDav (MS03-007) W32/Rbot-AFR can be controlled by a remote attacker over IRC channels. The backdoor component of W32/Rbot-AFR can be instructed by a remote user to perform a list of functions including: start an FTP server start a web server take part in distributed denial of service (DDoS) attacks log keypresses capture screen/webcam images packet sniffing port scanning steal CD keys download/execute arbitrary files start a remote shell (RLOGIN) When first run W32/Rbot-AFR copies itself to <System>\syspci32.exe. The following registry entries are created to run syspci32.exe on startup: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run System32 PCI Manager syspci32.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices System32 PCI Manager syspci32.exe Registry entries are set as follows: HKCU\Software\Microsoft\OLE System32 PCI Manager syspci32.exe HKLM\SOFTWARE\Microsoft\Ole EnableDCOM N HKLM\SYSTEM\CurrentControlSet\Control\Lsa restrictanonymous 1 The following patches for the operating system vulnerabilities exploited by W32/Rbot-AFR can be obtained from the Microsoft website at: MS03-049 MS03-007 The W32/Rbot-AFR virus identity file (IDE) includes detection for: Troj/Zlob-F http://www.sophos.com/virusinfo/analyses/trojzlobf.html W32/Rbot-AFS http://www.sophos.com/virusinfo/analyses/w32rbotafs.html Troj/LowZone-AJ http://www.sophos.com/virusinfo/analyses/trojlowzoneaj.html W32/Sdbot-ZQ http://www.sophos.com/virusinfo/analyses/w32sdbotzq.html W32/Sdbot-ZP http://www.sophos.com/virusinfo/analyses/w32sdbotzp.html Troj/Rider-S http://www.sophos.com/virusinfo/analyses/trojriders.html Troj/Warspy-D http://www.sophos.com/virusinfo/analyses/trojwarspyd.html Customers with 3.xx or lower versions of Sophos Anti-Virus, who are not running EM Library, can manually download the IDE for W32/Rbot-AFR from: http://www.sophos.com/downloads/ide/rbot-afr.ide Read about how to use IDE files at http://www.sophos.com/support/knowledgebase/article/363.html *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member