From; Sophos Alert System: Name: W32/Rbot-AGT Type: Win32 worm Date: 30 June 2005 Sophos has issued protection for W32/Rbot-AGT. At the time of writing, Sophos has received a small number of reports of this worm from the wild. Customers using EM Library, Enterprise Console, PureMessage or any of our Sophos small business solutions will be automatically protected at their next scheduled update. Information about W32/Rbot-AGT can be found at: http://www.sophos.com/virusinfo/analyses/w32rbotagt.html W32/Rbot-AGT is a network worm with backdoor functionality for the Windows platform. The worm copies itself to a file named scrsave.scr in the Windows system folder and creates the following registry entries: HKCU\Software\Microsoft\Windows\CurrentVersion\Run MS Screen Saver scrsave.scr HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MS Screen Saver scrsave.scr HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices MS Screen Saver scrsave.scr W32/Rbot-AGT spreads using a variety of techniques including exploiting weak passwords on computers and SQL servers, exploiting operating system vulnerabilities (including DCOM-RPC, LSASS and WKS) and using backdoors opened by other worms or Trojans. W32/Rbot-AGT can be controlled by a remote attacker over IRC channels. The backdoor component of W32/Rbot-AGT can be instructed by a remote user to perform the following functions: start an FTP server start a Proxy server start a web server take part in distributed denial of service (DDoS) attacks log keypresses capture screen/webcam images packet sniffing port scanning download/execute arbitrary files start a remote shell (RLOGIN) steal product registration information from certain software Patches for the operating system vulnerabilities exploited by W32/Rbot-AGT can be obtained from Microsoft at: MS01-059 MS03-007 MS03-049 MS04-011 MS04-012 The W32/Rbot-AGT virus identity file (IDE) includes detection for: Troj/Singu-R http://www.sophos.com/virusinfo/analyses/trojsingur.html Troj/GWGhost-M http://www.sophos.com/virusinfo/analyses/trojgwghostm.html Troj/Dloader-PR http://www.sophos.com/virusinfo/analyses/trojdloaderpr.html Troj/Fontal-B http://www.sophos.com/virusinfo/analyses/trojfontalb.html Troj/Bancos-DB http://www.sophos.com/virusinfo/analyses/trojbancosdb.html W32/Rbot-AGR http://www.sophos.com/virusinfo/analyses/w32rbotagr.html W32/Mytob-CS http://www.sophos.com/virusinfo/analyses/w32mytobcs.html Troj/Prodrop-A http://www.sophos.com/virusinfo/analyses/trojprodropa.html Troj/Psyme-CB http://www.sophos.com/virusinfo/analyses/trojpsymecb.html Troj/Banker-DS http://www.sophos.com/virusinfo/analyses/trojbankerds.html Customers with 3.xx or lower versions of Sophos Anti-Virus, who are not running EM Library, can manually download the IDE for W32/Rbot-AGT from: http://www.sophos.com/downloads/ide/rbot-agt.ide Read about how to use IDE files at http://www.sophos.com/support/knowledgebase/article/363.html *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member
