From; Sophos Alert System: Name: W32/Rbot-AFV Aliases: Backdoor.Win32.Rbot.sr Type: Win32 worm Date: 21 June 2005 Sophos has issued protection for W32/Rbot-AFV. At the time of writing, Sophos has received a small number of reports of this worm from the wild. Customers using EM Library, Enterprise Console, PureMessage or any of our Sophos small business solutions will be automatically protected at their next scheduled update. Information about W32/Rbot-AFV can be found at: http://www.sophos.com/virusinfo/analyses/w32rbotafv.html W32/Rbot-AFV is an internet worm and IRC backdoor Trojan for the Windows platform. W32/Rbot-AFV spreads to other network computers by exploiting the buffer overflow vulnerabilites LSASS (MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049) and MSSQL (MS02-039) and by copying itself to network shares protected by weak passwords. W32/Rbot-AFV runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels. W32/Rbot-AFV includes functionality to: - steal confidential information - carry out DDoS flooder attacks - silently download, install and run new software, including updates of its software When first run W32/Rbot-AFV moves itself to the Windows system folder using a random filename and creates the following registry entries to ensure it is run at system logon: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AIM Instant Message Cookies <random name> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices AIM Instant Message Cookies <random name> HKCU\Software\Microsoft\Windows\CurrentVersion\Run AIM Instant Message Cookies <random name> HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices AIM Instant Message Cookies <random name> W32/Rbot-AFV creates the following registry entries: HKLM\SOFTWARE\Microsoft\Ole AIM Instant Message Cookies <random name> HKLM\SYSTEM\CurrentControlSet\Control\Lsa AIM Instant Message Cookies <random name> HKCU\Software\Microsoft\OLE AIM Instant Message Cookies <random name> HKCU\SYSTEM\CurrentControlSet\Control\Lsa AIM Instant Message Cookies <random name> W32/Rbot-AFV also sets the following registry entries: HKLM\SOFTWARE\Microsoft\Ole EnableDCOM N HKLM\SYSTEM\CurrentControlSet\Control\Lsa restrictanonymous 1 The following patches for the operating system vulnerabilities exploited by W32/Rbot-AFV can be obtained from the Microsoft website: MS04-011 MS04-012 MS03-049 MS02-039 The W32/Rbot-AFV virus identity file (IDE) includes detection for: W32/Rbot-AFU http://www.sophos.com/virusinfo/analyses/w32rbotafu.html Troj/Dloader-PE http://www.sophos.com/virusinfo/analyses/trojdloaderpe.html Troj/Dloader-PD http://www.sophos.com/virusinfo/analyses/trojdloaderpd.html W32/Mepad-A http://www.sophos.com/virusinfo/analyses/w32mepada.html W32/Agobot-APJ http://www.sophos.com/virusinfo/analyses/w32agobotapj.html Troj/Smlog-A http://www.sophos.com/virusinfo/analyses/trojsmloga.html W32/Spybot-DP http://www.sophos.com/virusinfo/analyses/w32spybotdp.html Troj/Bdoor-IP http://www.sophos.com/virusinfo/analyses/trojbdoorip.html Troj/Bancos-DA http://www.sophos.com/virusinfo/analyses/trojbancosda.html Customers with 3.xx or lower versions of Sophos Anti-Virus, who are not running EM Library, can manually download the IDE for W32/Rbot-AFV from: http://www.sophos.com/downloads/ide/rbot-afv.ide Read about how to use IDE files at http://www.sophos.com/support/knowledgebase/article/363.html *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member