From; Sophos Alert System: Name: W32/Sdbot-AYF Type: Win32 worm Date: 27 June 2005 Sophos has issued protection for W32/Sdbot-AYF. At the time of writing, Sophos has received a small number of reports of this worm from the wild. Customers using EM Library, Enterprise Console, PureMessage or any of our Sophos small business solutions will be automatically protected at their next scheduled update. Information about W32/Sdbot-AYF can be found at: http://www.sophos.com/virusinfo/analyses/w32sdbotayf.html W32/Sdbot-AYF is a network worm with backdoor Trojan functionality for the Windows platform. When first run, W32/Sdbot-AYF copies itself to the Windows system folder as WinAwk.exe, drops a driver file named rdriv.sys and creates the following registry entries: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WinAwk "WinAwk.exe" HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RDRIV [several entries] HKLM\SYSTEM\CurrentControlSet\Services\rdriv [several entries] HKLM\SYSTEM\CurrentControlSet\Control WaitToKillServiceTimeout "7000" The rdriv.sys file dropped by W32/Sdbot-AYF is detected by Sophos's anti-virus products as Troj/Rootkit-X. The worm spreads through network shares protected by weak passwords, MS-SQL servers and through various operating system vulnerabilities. W32/Sdbot-AYF connects to a predetermined IRC channel and awaits further commands from remote users. The backdoor component of W32/Sdbot-AYF can be instructed to perform the following functions: scan networks for vulnerabilities download/execute arbitrary files start an ftp server Patches for the vulnerabilities exploited by W32/Sdbot-AYF can be obtained from Microsoft at: MS02-039 MS04-011 MS04-012 The W32/Sdbot-AYF virus identity file (IDE) includes detection for: Troj/Rootkit-X http://www.sophos.com/virusinfo/analyses/trojrootkitx.html W32/Rbot-AGK http://www.sophos.com/virusinfo/analyses/w32rbotagk.html Dial/TlfLic-D http://www.sophos.com/virusinfo/analyses/dialtlflicd.html W32/Kedebe-F http://www.sophos.com/virusinfo/analyses/w32kedebef.html W32/Sdbot-AYE http://www.sophos.com/virusinfo/analyses/w32sdbotaye.html Troj/HacDef-S http://www.sophos.com/virusinfo/analyses/trojhacdefs.html Troj/ServU-AY http://www.sophos.com/virusinfo/analyses/trojservuay.html Troj/Vixup-E http://www.sophos.com/virusinfo/analyses/trojvixupe.html Troj/Vixup-D http://www.sophos.com/virusinfo/analyses/trojvixupd.html Troj/Bdoor-IS http://www.sophos.com/virusinfo/analyses/trojbdooris.html Troj/Vixup-C http://www.sophos.com/virusinfo/analyses/trojvixupc.html Customers with 3.xx or lower versions of Sophos Anti-Virus, who are not running EM Library, can manually download the IDE for W32/Sdbot-AYF from: http://www.sophos.com/downloads/ide/sdbotayf.ide Read about how to use IDE files at http://www.sophos.com/support/knowledgebase/article/363.html *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member