From; Sophos Alert System: Name: W32/Rbot-AGP Aliases: W32/Sdbot.worm.gen.bj, Backdoor.Win32.IRCBot.cj Type: Win32 worm Date: 29 June 2005 Sophos has issued protection for W32/Rbot-AGP. At the time of writing, Sophos has received a small number of reports of this worm from the wild. Customers using EM Library, Enterprise Console, PureMessage or any of our Sophos small business solutions will be automatically protected at their next scheduled update. Information about W32/Rbot-AGP can be found at: http://www.sophos.com/virusinfo/analyses/w32rbotagp.html W32/Rbot-AGP is a worm with backdoor functionality for the Windows platform that spreads to other network computers by exploiting a number of known vulnerabilities and by copying itself to network shares protected by weak passwords. W32/Rbot-AGP runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels. W32/Rbot-AGP includes functionality to access the internet and communicate with a remote server via HTTP. Once executed W32/Rbot-AGP moves itself to the file <Windows system folder>\scrnsaver.scr, and in order to be able to run automatically when Windows starts up sets the following registry entries: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Screen Saver scrnsaver.scr HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices Screen Saver scrnsaver.scr When W32/Rbot-AGP is installed it creates the file <Windows system folder>\svkp.sys which is a legitimate driver for NT based systems. The file SVKP.sys is registered as a new system driver service named "SVKP", with a display name of "SVKP" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under: HKLM\SYSTEM\CurrentControlSet\Services\SVKP\ The W32/Rbot-AGP virus identity file (IDE) includes detection for: Troj/Padfeed-A http://www.sophos.com/virusinfo/analyses/trojpadfeeda.html Troj/Chorus-A http://www.sophos.com/virusinfo/analyses/trojchorusa.html Troj/DcmDown-A http://www.sophos.com/virusinfo/analyses/trojdcmdowna.html Troj/Dcmbot-C http://www.sophos.com/virusinfo/analyses/trojdcmbotc.html Troj/Dropload-A http://www.sophos.com/virusinfo/analyses/trojdroploada.html Troj/Psyme-BZ http://www.sophos.com/virusinfo/analyses/trojpsymebz.html Troj/Zonit-F http://www.sophos.com/virusinfo/analyses/trojzonitf.html Customers with 3.xx or lower versions of Sophos Anti-Virus, who are not running EM Library, can manually download the IDE for W32/Rbot-AGP from: http://www.sophos.com/downloads/ide/rbot-agp.ide Read about how to use IDE files at http://www.sophos.com/support/knowledgebase/article/363.html *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member