From; Sophos Alert System: Name: W32/Rbot-AGA Type: Win32 worm Date: 14 June 2005 Sophos has issued protection for W32/Rbot-AGA. At the time of writing, Sophos has received a small number of reports of this worm from the wild. Customers using EM Library, Enterprise Console, PureMessage or any of our Sophos small business solutions will be automatically protected at their next scheduled update. Information about W32/Rbot-AGA can be found at: http://www.sophos.com/virusinfo/analyses/w32rbotaga.html W32/Rbot-AGA is a network worm with backdoor functionality for the Windows platform. The worm copies itself to a file named taskemngr.exe in the Windows system folder and creates the following registry entries: HKCU\Software\Microsoft\OLE Task manager taskemngr.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Run Task manager taskemngr.exe HKLM\Software\Microsoft\Windows\CurrentVersion\Run Task manager taskemngr.exe HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices Task manager taskemngr.exe W32/Rbot-AGA spreads using a variety of techniques including exploiting weak passwords on computers and SQL servers, exploiting operating system vulnerabilities (including DCOM-RPC, LSASS, WebDAV and UPNP) and using backdoors opened by other worms or Trojans. W32/Rbot-AGA can be controlled by a remote attacker over IRC channels. The backdoor component of W32/Rbot-AGA can be instructed by a remote user to perform the following functions: start an FTP server start a Proxy server start a web server take part in distributed denial of service (DDoS) attacks log keypresses capture screen/webcam images packet sniffing port scanning download/execute arbitrary files start a remote shell (RLOGIN) steal product registration information from certain software Patches for the operating system vulnerabilities exploited by W32/Rbot-AGA can be obtained from Microsoft at: MS04-011 MS04-012 MS03-007 MS01-059 The W32/Rbot-AGA virus identity file (IDE) includes detection for: Troj/Dnet-B http://www.sophos.com/virusinfo/analyses/trojdnetb.html Troj/CoreFloo-K http://www.sophos.com/virusinfo/analyses/trojcoreflook.html Troj/Sympe-B http://www.sophos.com/virusinfo/analyses/trojsympeb.html Troj/Rider-R http://www.sophos.com/virusinfo/analyses/trojriderr.html Troj/Zapchas-L http://www.sophos.com/virusinfo/analyses/trojzapchasl.html W32/Mytob-BJ http://www.sophos.com/virusinfo/analyses/w32mytobbj.html Troj/ServuRR-A http://www.sophos.com/virusinfo/analyses/trojservurra.html Troj/QQRob-AM http://www.sophos.com/virusinfo/analyses/trojqqrobam.html Troj/Banker-DG http://www.sophos.com/virusinfo/analyses/trojbankerdg.html Troj/Dloader-OW http://www.sophos.com/virusinfo/analyses/trojdloaderow.html Troj/Dloader-OX http://www.sophos.com/virusinfo/analyses/trojdloaderox.html Customers with 3.xx or lower versions of Sophos Anti-Virus, who are not running EM Library, can manually download the IDE for W32/Rbot-AGA from: http://www.sophos.com/downloads/ide/rbot-aga.ide Read about how to use IDE files at http://www.sophos.com/support/knowledgebase/article/363.html *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member