[virusinfo] W32/Rbot-AFR

• From: "Mike" <mikebike@xxxxxxxxx>
• To: virusinfo@xxxxxxxxxxxxx
• Date: Mon, 20 Jun 2005 08:55:52 -0700

From; Sophos Alert System:

Name: W32/Rbot-AFR
Type: Win32 worm
Date: 20 June 2005

Sophos has issued protection for W32/Rbot-AFR.

At the time of writing, Sophos has received no reports from
users affected by this worm. However, we have issued this
advisory following enquiries to our support department from
customers.

Customers using EM Library, Enterprise Console, PureMessage or
any of our Sophos small business solutions will be automatically
protected at their next scheduled update.


Information about W32/Rbot-AFR can be found at:
http://www.sophos.com/virusinfo/analyses/w32rbotafr.html

W32/Rbot-AFR is a network worm and IRC backdoor Trojan for the Windows 
platform. 
W32/Rbot-AFR spreads using a variety of techniques including exploiting weak 
passwords on computers and exploiting operating system vulnerabilities 
including: 
WKS (MS03-049)
WebDav (MS03-007) 
W32/Rbot-AFR can be controlled by a remote attacker over IRC channels. The 
backdoor component of W32/Rbot-AFR can be instructed by a remote user to 
perform a list of functions including: 
start an FTP server
start a web server
take part in distributed denial of service (DDoS) attacks
log keypresses
capture screen/webcam images
packet sniffing
port scanning
steal CD keys
download/execute arbitrary files
start a remote shell (RLOGIN) 
When first run W32/Rbot-AFR copies itself to <System>\syspci32.exe. 
The following registry entries are created to run syspci32.exe on startup: 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
System32 PCI Manager
syspci32.exe 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
System32 PCI Manager
syspci32.exe 
Registry entries are set as follows: 
HKCU\Software\Microsoft\OLE
System32 PCI Manager
syspci32.exe 
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N 
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1 
The following patches for the operating system vulnerabilities exploited by 
W32/Rbot-AFR can be obtained from the Microsoft website at: 
MS03-049
MS03-007 

The W32/Rbot-AFR virus identity file (IDE) includes detection for:


Troj/Zlob-F
http://www.sophos.com/virusinfo/analyses/trojzlobf.html
W32/Rbot-AFS
http://www.sophos.com/virusinfo/analyses/w32rbotafs.html
Troj/LowZone-AJ
http://www.sophos.com/virusinfo/analyses/trojlowzoneaj.html
W32/Sdbot-ZQ
http://www.sophos.com/virusinfo/analyses/w32sdbotzq.html
W32/Sdbot-ZP
http://www.sophos.com/virusinfo/analyses/w32sdbotzp.html
Troj/Rider-S
http://www.sophos.com/virusinfo/analyses/trojriders.html
Troj/Warspy-D
http://www.sophos.com/virusinfo/analyses/trojwarspyd.html

Customers with 3.xx or lower versions of Sophos Anti-Virus, 
who are not running EM Library, can manually download the IDE
for W32/Rbot-AFR from:

http://www.sophos.com/downloads/ide/rbot-afr.ide

Read about how to use IDE files at
http://www.sophos.com/support/knowledgebase/article/363.html

*********** MIKE"S REPLY SEPARATOR  ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages  http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance  and OWTA Charter Member 

Other related posts:

• » [virusinfo] W32/Rbot-AFR

1. Home
2. virusinfo
3. Archive
4. 06-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---