[virusinfo] W32/Rbot-AGP
- From: "Mike" <mikebike@xxxxxxxxx>
- To: virusinfo@xxxxxxxxxxxxx
- Date: Wed, 29 Jun 2005 14:25:03 -0700
From; Sophos Alert System:
Name: W32/Rbot-AGP
Aliases: W32/Sdbot.worm.gen.bj, Backdoor.Win32.IRCBot.cj
Type: Win32 worm
Date: 29 June 2005
Sophos has issued protection for W32/Rbot-AGP.
At the time of writing, Sophos has received a small number of
reports of this worm from the wild.
Customers using EM Library, Enterprise Console, PureMessage or
any of our Sophos small business solutions will be automatically
protected at their next scheduled update.
Information about W32/Rbot-AGP can be found at:
http://www.sophos.com/virusinfo/analyses/w32rbotagp.html
W32/Rbot-AGP is a worm with backdoor functionality for the Windows platform
that spreads to other network computers by exploiting a number of known
vulnerabilities and by copying itself to network shares protected by weak
passwords.
W32/Rbot-AGP runs continuously in the background, providing a backdoor server
which allows a remote intruder to gain access and control over the computer via
IRC channels.
W32/Rbot-AGP includes functionality to access the internet and communicate with
a remote server via HTTP.
Once executed W32/Rbot-AGP moves itself to the file <Windows system
folder>\scrnsaver.scr, and in order to be able to run automatically when
Windows starts up sets the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Screen Saver
scrnsaver.scr
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Screen Saver
scrnsaver.scr
When W32/Rbot-AGP is installed it creates the file <Windows system
folder>\svkp.sys which is a legitimate driver for NT based systems.
The file SVKP.sys is registered as a new system driver service named "SVKP",
with a display name of "SVKP" and a startup type of automatic, so that it is
started automatically during system startup. Registry entries are created
under:
HKLM\SYSTEM\CurrentControlSet\Services\SVKP\
The W32/Rbot-AGP virus identity file (IDE) includes detection for:
Troj/Padfeed-A
http://www.sophos.com/virusinfo/analyses/trojpadfeeda.html
Troj/Chorus-A
http://www.sophos.com/virusinfo/analyses/trojchorusa.html
Troj/DcmDown-A
http://www.sophos.com/virusinfo/analyses/trojdcmdowna.html
Troj/Dcmbot-C
http://www.sophos.com/virusinfo/analyses/trojdcmbotc.html
Troj/Dropload-A
http://www.sophos.com/virusinfo/analyses/trojdroploada.html
Troj/Psyme-BZ
http://www.sophos.com/virusinfo/analyses/trojpsymebz.html
Troj/Zonit-F
http://www.sophos.com/virusinfo/analyses/trojzonitf.html
Customers with 3.xx or lower versions of Sophos Anti-Virus,
who are not running EM Library, can manually download the IDE
for W32/Rbot-AGP from:
http://www.sophos.com/downloads/ide/rbot-agp.ide
Read about how to use IDE files at
http://www.sophos.com/support/knowledgebase/article/363.html
*********** MIKE"S REPLY SEPARATOR ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance and OWTA Charter Member
Other related posts:
- » [virusinfo] W32/Rbot-AGP
