From; Sophos Alert Systeme: Name: Troj/Delbot-B Type: Trojan Date: 19 April 2005 A virus identity (IDE) file which provides protection is available now from the Sophos website, and will be incorporated into the June 2005 (3.94) release of Sophos Anti-Virus. Customers using EM Library, PureMessage or any of our Sophos small business solutions will be automatically protected at their next scheduled update. At the time of writing, Sophos has received a small number of reports of this Trojan from the wild. Information about Troj/Delbot-B can be found at: http://www.sophos.com/virusinfo/analyses/trojdelbotb.html Troj/Delbot-B is a IRC backdoor Trojan for the Windows platform. Troj/Delbot-B will connect to a preconfigured server and open up a backdoor, allowing unauthorised remote access to remote attackers. The Trojan can receive commands from the attacker to control the infected computer. The Trojan can be instructed to: Download code Participate in DDoS Send email Shutdown the infected system Start and stop processes Troj/Delbot-B will copy itself to the windows folder as cftmon.exe and mirc.dll and perodically set the following registry entry in case it is removed: HKLM\Software\Microsoft\Windows\CurrentVersion\Run ctfmon "<Windows folder>\cftmon.exe" Troj/Delbot-B may attempt to terminate processes associated with the following executables: '_AVPCC' 'ACKWIN32' 'AD-AWARE' 'ADMINTOOL' 'ADVXDWIN' 'AGENTA' 'AGENTSVR' 'ALERTSVC' 'ALOGSERV' 'AMON9X' 'ANTI-TROJAN' 'ANTITROJ' 'ANTIVIRUS' 'APIMONITOR' 'APLICA32' 'APVXDWIN' 'ASHDISP' 'ASHQUICK' 'ATGUARD' 'ATRO55EN' 'ATUPDATER' 'ATWATCH' 'AUTODOWN' 'AUTOTRACE' 'AVCONSOL' 'AVENGINE' 'AVGCC32' 'AVGCTRL' 'AVGSERV' 'AVGSERV9' 'AVGUARD' 'AVKPOP' 'AVKSERV' 'AVKSERVICE' 'AVKWCTL' 'AVKWCTL9' 'AVSCHED32' 'AVSYNMGR' 'AVWINNT' 'AVXGUI' 'AVXLIVE' 'AVXMONITOR9X' 'AVXMONITORNT' 'AVXQUAR' 'BD_PROFESSIONAL' 'BIDSERVER' 'BLACKD' 'BLACKICE' 'BOOTSCAN' 'BOOTWARN' 'CCEVTMGR' 'CFGINTPR' 'CFGWIZ' 'CFIADMIN' 'CFIAUDIT' 'CFINET' 'CFINET32' 'CLAW95' 'CLAW95CF' 'CLEANER' 'CLEANER3' 'CLEANPC' 'CMGRDIAN' 'CMON016' 'CONNECTIONMONITOR' 'CPFNT206' 'CWNB181' 'CWNTDWMO' 'DEFSCANGUI' 'DEFWATCH' 'DEPUTY' 'DPATROL' 'DRWEB32' 'DRWEBSCD' 'ECENGINE' 'EFPEADM' 'ESCANH95' 'ESCANHNT' 'ESCANV95' 'ESPWATCH' 'ETRUSTCIPE' 'EXANTIVIRUS-CNET' 'EXPERT' 'F-AGNT95' 'F-PROT' 'F-PROT95' 'F-STOPW' 'FAMEH32' 'FINDVIRU' 'FIREWALL' 'FLOWPROTECTOR' 'FNRB32' 'FP-WIN' 'FSAV32' 'FSAV530STBYB' 'FSAVSTRT' 'FSGK32' 'FSMA32' 'FSMB32' 'GBMENU' 'GBPOLL' 'GENERICS' 'GLADIATOR' 'GUARDDOG' 'GUARDER' 'HACKERELIMINATOR' 'HACKTRACERSETUP' 'IAMAPP' 'IAMSERV' 'IAMSTATS' 'IBMASN' 'IBMAVSP' 'ICLOAD95' 'ICLOADNT' 'ICSUPP95' 'ICSUPPNT' 'IOMON98' 'IPARMOR' 'ISRV95' 'JAMMER' 'KAVLITE40ENG' 'MCVSSHLD' 'MFW2EN' 'MGAVRTCL' 'MGAVRTE' 'MGHTML' 'MGUTIL' 'MINILOG' 'MONITOR' 'MOOLIVE' 'MPFTRAY' 'MSSMMC32' 'MWATCH' 'N32SCANW' 'NAVAPSVC' 'NAVAPW32' 'NAVLU32' 'NAVSTUB' 'NAVW32' 'NAVWNT' 'NEOWATCHLOG' 'NEOWATCHTRAY' 'NETARMOR' 'NETINFO' 'NETMON' 'NETSCANPRO' 'NETSPYHUNTER-1.2' 'NETUTILS' 'NISSERV' 'NORMIST' 'NPFMESSENGER' 'NPSSVC' 'NSCHED32' 'NTRTSCAN' 'NTXCONFIG' 'NVARCH16' 'NWSERVICE' 'NWTOOL16' 'OSTRONET' 'OUTPOST' 'PADMIN' 'PANIXK' 'PAVFIRES' 'PAVPROXY' 'PAVSRV51' 'PCCCLIENT' 'PCCGUIDE' 'PCCIOMON' 'PCCNTMON' 'PCCPFW' 'PCCWIN97' 'PCCWIN98' 'PCFWALLICON' 'PCSCAN' 'PERISCOPE' 'PERSFW' 'PFWADMIN' 'PINGSCAN' 'PLATIN' 'POP3TRAP' 'POPROXY' 'PORTDETECTIVE' 'PORTMONITOR' 'PPVSTOP' 'PRAZNA' 'PROCMAN' 'PROGRAMAUDITOR' 'PROPORT' 'PROTECTX' 'PVIEW95' 'QCONSOLE' 'QSERVER' 'QTTASK' 'RAPAPP' 'RAV7WIN' 'RAV8WIN32ENG' 'RAVMON' 'RAVWIN8' 'REALMON' 'RMVTRJAN' 'RRGUARD' 'RSHELL' 'RTVSCN95' 'RULAUNCH' 'SAFEWEB' 'SBSERV' 'SCAN32' 'SCANPM' 'SCRSCAN' 'SGSSFW32' 'SPHINX' 'SS3EDIT' 'SUPFTRL' 'SUPPORTER5' 'SWEEP95' 'SWNETSUP' 'SYMPROXYSVC' 'TASKALERT' 'TAUMON' 'TAUSCAN' 'TBSCAN' 'TDS2-NT' 'THGUARD' 'TITANIN' 'TITANINXP' 'TRJSCAN' 'TROJAN' 'TROJANHUNTER' 'TROJANTRAP3' 'TUCONF' 'TWEAK-XP' 'UMXAGENT' 'UMXLDRA' 'V530WTBYB' 'VBCMSERV' 'VBCONS' 'VBWIN9X' 'VBWINNTW' 'VETTRAY' 'VIR-HELP' 'VNLAN300' 'VPFW30S' 'VPTR AY' 'VPTRAY' 'VSCAN40' 'VSCHED' 'VSECOMR' 'VSHWIN32' 'VSMAIN' 'VSSTAT' 'WATCHDOG' 'WATCHER' 'WEBSCANX' 'WEBTRAP' 'WFINDV32' 'WGFE95' 'WIMMUN32' 'WINGATE' 'WINRECON' 'WINROUTE' 'WRADMIN' 'WRCTRL' 'WSBGATE' 'XCOMMSVR' 'XPF202EN' 'ZATUTOR' 'ZAUINST' 'ZONALM2601' 'ZONEALARM' Troj/Delbot-B will also drop two files to the Windows folder, 0.0(harmless) and br.dll(detected as Troj/Delbot-B). This IDE file also includes detection for: Troj/Deldoc-B http://www.sophos.com/virusinfo/analyses/trojdeldocb.html Troj/PcClient-E http://www.sophos.com/virusinfo/analyses/trojpccliente.html Troj/Clicker-DR http://www.sophos.com/virusinfo/analyses/trojclickerdr.html Troj/Multidr-DK http://www.sophos.com/virusinfo/analyses/trojmultidrdk.html Troj/Dloader-LY http://www.sophos.com/virusinfo/analyses/trojdloaderly.html XM97/Delun-A http://www.sophos.com/virusinfo/analyses/xm97deluna.html Troj/Hobbes-A http://www.sophos.com/virusinfo/analyses/trojhobbesa.html Troj/MultiDr-DJ http://www.sophos.com/virusinfo/analyses/trojmultidrdj.html Troj/LdPinch-AV http://www.sophos.com/virusinfo/analyses/trojldpinchav.html Troj/Bancos-CI http://www.sophos.com/virusinfo/analyses/trojbancosci.html Troj/Dloader-MC http://www.sophos.com/virusinfo/analyses/trojdloadermc.html Troj/Dloader-MA http://www.sophos.com/virusinfo/analyses/trojdloaderma.html Troj/Dropper-AK http://www.sophos.com/virusinfo/analyses/trojdropperak.html Download the IDE file from: http://www.sophos.com/downloads/ide/delbot-b.ide Download all the IDE files available for the current version of Sophos Anti-Virus in a single compressed file. The file is available in two formats: Zip file: http://www.sophos.com/downloads/ide/ides.zip Self-extracting file: http://www.sophos.com/downloads/ide/ides.exe Read about how to use IDE files at http://www.sophos.com/downloads/ide/using.html *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member