[virusinfo] W32/Rbot-AFV
- From: "Mike" <mikebike@xxxxxxxxx>
- To: virusinfo@xxxxxxxxxxxxx
- Date: Tue, 21 Jun 2005 08:16:04 -0700
From; Sophos Alert System:
Name: W32/Rbot-AFV
Aliases: Backdoor.Win32.Rbot.sr
Type: Win32 worm
Date: 21 June 2005
Sophos has issued protection for W32/Rbot-AFV.
At the time of writing, Sophos has received a small number of
reports of this worm from the wild.
Customers using EM Library, Enterprise Console, PureMessage or
any of our Sophos small business solutions will be automatically
protected at their next scheduled update.
Information about W32/Rbot-AFV can be found at:
http://www.sophos.com/virusinfo/analyses/w32rbotafv.html
W32/Rbot-AFV is an internet worm and IRC backdoor Trojan for the Windows
platform.
W32/Rbot-AFV spreads to other network computers by exploiting the buffer
overflow vulnerabilites LSASS (MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049)
and MSSQL (MS02-039) and by copying itself to network shares protected by weak
passwords.
W32/Rbot-AFV runs continuously in the background, providing a backdoor server
which allows a remote intruder to gain access and control over the computer via
IRC channels.
W32/Rbot-AFV includes functionality to:
- steal confidential information
- carry out DDoS flooder attacks
- silently download, install and run new software, including updates of its
software
When first run W32/Rbot-AFV moves itself to the Windows system folder using a
random filename and creates the following registry entries to ensure it is run
at system logon:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
AIM Instant Message Cookies
<random name>
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
AIM Instant Message Cookies
<random name>
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
AIM Instant Message Cookies
<random name>
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
AIM Instant Message Cookies
<random name>
W32/Rbot-AFV creates the following registry entries:
HKLM\SOFTWARE\Microsoft\Ole
AIM Instant Message Cookies
<random name>
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
AIM Instant Message Cookies
<random name>
HKCU\Software\Microsoft\OLE
AIM Instant Message Cookies
<random name>
HKCU\SYSTEM\CurrentControlSet\Control\Lsa
AIM Instant Message Cookies
<random name>
W32/Rbot-AFV also sets the following registry entries:
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
The following patches for the operating system vulnerabilities exploited by
W32/Rbot-AFV can be obtained from the Microsoft website:
MS04-011
MS04-012
MS03-049
MS02-039
The W32/Rbot-AFV virus identity file (IDE) includes detection for:
W32/Rbot-AFU
http://www.sophos.com/virusinfo/analyses/w32rbotafu.html
Troj/Dloader-PE
http://www.sophos.com/virusinfo/analyses/trojdloaderpe.html
Troj/Dloader-PD
http://www.sophos.com/virusinfo/analyses/trojdloaderpd.html
W32/Mepad-A
http://www.sophos.com/virusinfo/analyses/w32mepada.html
W32/Agobot-APJ
http://www.sophos.com/virusinfo/analyses/w32agobotapj.html
Troj/Smlog-A
http://www.sophos.com/virusinfo/analyses/trojsmloga.html
W32/Spybot-DP
http://www.sophos.com/virusinfo/analyses/w32spybotdp.html
Troj/Bdoor-IP
http://www.sophos.com/virusinfo/analyses/trojbdoorip.html
Troj/Bancos-DA
http://www.sophos.com/virusinfo/analyses/trojbancosda.html
Customers with 3.xx or lower versions of Sophos Anti-Virus,
who are not running EM Library, can manually download the IDE
for W32/Rbot-AFV from:
http://www.sophos.com/downloads/ide/rbot-afv.ide
Read about how to use IDE files at
http://www.sophos.com/support/knowledgebase/article/363.html
*********** MIKE"S REPLY SEPARATOR ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance and OWTA Charter Member
Other related posts:
- » [virusinfo] W32/Rbot-AFV
