From; Sophos Alert System: Name: W32/Sdbot-ZM Aliases: Backdoor.Win32.SdBot.yx Type: Win32 worm Date: 18 June 2005 Sophos has issued protection for W32/Sdbot-ZM. At the time of writing, Sophos has received a small number of reports of this worm from the wild. Customers using EM Library, Enterprise Console, PureMessage or any of our Sophos small business solutions will be automatically protected at their next scheduled update. Note: The IDE issued for W32/Sdbot-ZM at 04:54 (GMT) on 17 June 2005 also contained detection for Troj/Delbot-E, W32/Mytob-BN, W32/Mytob-BO, W32/Mytob-BP and W32/Mytob-BM . This IDE has now been updated to enhance detection of W32/Mytob-BN. Information about W32/Sdbot-ZM can be found at: http://www.sophos.com/virusinfo/analyses/w32sdbotzm.html W32/Sdbot-ZM is a network worm with backdoor Trojan functionality for the Windows platform. When first run, W32/Sdbot-ZM copies itself to the Windows system folder as nawdll32.exe and creates the following registry entries in order to run each time a user logs on: HKLM\SOFTWARE\Microsoft\Ole nawdll32 "nawdll32.exe" HKLM\SYSTEM\CurrentControlSet\Control\Lsa nawdll32 "nawdll32.exe" HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run nawdll32 "nawdll32.exe" HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce nawdll32 "nawdll32.exe" HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices nawdll32 "nawdll32.exe" HKCU\Software\Microsoft\OLE nawdll32 "nawdll32.exe" HKCU\System\CurrentControlSet\Control\Lsa nawdll32 "nawdll32.exe" HKCU\Software\Microsoft\Windows\CurrentVersion\Run nawdll32 "nawdll32.exe" HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce nawdll32 "nawdll32.exe" HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices nawdll32 "nawdll32.exe" The worm spreads through network shares protected by weak passwords, MS-SQL servers and through various operating system vulnerabilities. W32/Sdbot-ZM connects to a predetermined IRC channel and awaits further commands from remote users. The backdoor component of W32/Sdbot-ZM can be instructed to perform the following functions: scan networks for vulnerabilities download/execute arbitrary files start an ftp server Patches for the vulnerabilities exploited by W32/Sdbot-ZM can be obtained from Microsoft at: http://www.microsoft.com/technet/security/bulletin/MS02-039.mspx http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx The W32/Sdbot-ZM virus identity file (IDE) includes detection for: Troj/Delbot-E http://www.sophos.com/virusinfo/analyses/trojdelbote.html W32/Mytob-BN http://www.sophos.com/virusinfo/analyses/w32mytobbn.html W32/Mytob-BO http://www.sophos.com/virusinfo/analyses/w32mytobbo.html W32/Mytob-BP http://www.sophos.com/virusinfo/analyses/w32mytobbp.html W32/Mytob-BM http://www.sophos.com/virusinfo/analyses/w32mytobbm.html Customers with 3.xx or lower versions of Sophos Anti-Virus, who are not running EM Library, can manually download the IDE for W32/Sdbot-ZM from: http://www.sophos.com/downloads/ide/sdbot-zm.ide Read about how to use IDE files at http://www.sophos.com/support/knowledgebase/article/363.html *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member