From; Sophos Alert System: Name: W32/Agobot-RC Aliases: Backdoor.Win32.Agobot.aal Type: Win32 worm Date: 24 March 2005 A virus identity (IDE) file which provides protection is available now from the Sophos website, and will be incorporated into the May 2005 (3.93) release of Sophos Anti-Virus. Customers using EM Library, PureMessage or any of our Sophos small business solutions will be automatically protected at their next scheduled update. At the time of writing, Sophos has received a small number of reports of this worm from the wild. Information about W32/Agobot-RC can be found at: http://www.sophos.com/virusinfo/analyses/w32agobotrc.html W32/Agobot-RC is a worm with backdoor functionality which spreads to computers protected by weak passwords and by using the LSASS security exploit (MS04-011). When first run, W32/Agobot-RC moves itself to the Windows system folder as smrs.exe and creates the following registry entries to run itself on computer restart: HKLM\Software\Microsoft\Windows\CurrentVersion\Run vsadmin smrs.exe HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices vsadmin smrs.exe W32/Agobot-RC then tries to connect to a remote IRC server while running continuously in the background, allowing a remote intruder to access and control the computer via IRC channels. The worm modifies the HOSTS file by appending the following mappings: 127.0.0.1 www.symantec.com 127.0.0.1 securityresponse.symantec.com 127.0.0.1 symantec.com 127.0.0.1 www.sophos.com 127.0.0.1 sophos.com 127.0.0.1 www.mcafee.com 127.0.0.1 mcafee.com 127.0.0.1 liveupdate.symantecliveupdate.com 127.0.0.1 www.viruslist.com 127.0.0.1 viruslist.com 127.0.0.1 viruslist.com 127.0.0.1 f-secure.com 127.0.0.1 www.f-secure.com 127.0.0.1 kaspersky.com 127.0.0.1 www.avp.com 127.0.0.1 www.kaspersky.com 127.0.0.1 avp.com 127.0.0.1 www.networkassociates.com 127.0.0.1 networkassociates.com 127.0.0.1 www.ca.com 127.0.0.1 ca.com 127.0.0.1 mast.mcafee.com 127.0.0.1 my-etrust.com 127.0.0.1 www.my-etrust.com 127.0.0.1 download.mcafee.com 127.0.0.1 dispatch.mcafee.com 127.0.0.1 secure.nai.com 127.0.0.1 nai.com 127.0.0.1 www.nai.com 127.0.0.1 update.symantec.com 127.0.0.1 updates.symantec.com 127.0.0.1 us.mcafee.com 127.0.0.1 liveupdate.symantec.com 127.0.0.1 customer.symantec.com 127.0.0.1 rads.mcafee.com 127.0.0.1 trendmicro.com 127.0.0.1 www.trendmicro.com Once installed, W32/Agobot-RC attempts to perform the following actions when instructed to do so by a remote intruder: steal CD game keys log keystrokes setup a SOCKS4 server steal email addresses and send them to a remote website via HTTP steal MSN Messenger and computer information perform denial of service (DoS) attacks using a variety of HTTP, Ping, TCP, UDP commands download and run files from the internet login to MS SQL servers and send EXEC commands to open a command shell terminate and disable various anti-virus and security related programs This IDE file also includes detection for: W32/Forbot-GP http://www.sophos.com/virusinfo/analyses/w32forbotgp.html W32/Sdbot-WX http://www.sophos.com/virusinfo/analyses/w32sdbotwx.html W32/Rbot-ZD http://www.sophos.com/virusinfo/analyses/w32rbotzd.html Download the IDE file from: http://www.sophos.com/downloads/ide/agobotrc.ide Download all the IDE files available for the current version of Sophos Anti-Virus in a single compressed file. The file is available in two formats: Zip file: http://www.sophos.com/downloads/ide/ides.zip Self-extracting file: http://www.sophos.com/downloads/ide/ides.exe Read about how to use IDE files at http://www.sophos.com/downloads/ide/using.html *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member