From; Sophos Alert System: Name: W32/Codbot-K Aliases: W32.Randex, Backdoor.Win32.Codbot.z, W32/Gaobot.worm.gen.q Type: Win32 worm Date: 13 April 2005 A virus identity (IDE) file which provides protection is available now from the Sophos website, and will be incorporated into the June 2005 (3.94) release of Sophos Anti-Virus. Customers using EM Library, PureMessage or any of our Sophos small business solutions will be automatically protected at their next scheduled update. At the time of writing, Sophos has received a small number of reports of this worm from the wild. Information about W32/Codbot-K can be found at: http://www.sophos.com/virusinfo/analyses/w32codbotk.html W32/Codbot-K is a network worm with backdoor functionality for the Windows platform. The worm connects to an IRC channel and listens for backdoor commands from a remote attacker. The backdoor functionality of the worm includes the ability to sniff packets, download further malicious code and steal passwords and other system information. When first run, W32/Codbot-K copies itself to the Windows system folder as SCardClnt.exe and installs itself as a service with these attributes: servicename = SCardClnt displayname = "Smart Card Client" imagepath = <Windows system folder>SCardClnt.exe W32/Codbot-K may make the following change to the system registry: HKLM\SOFTWARE\Microsoft\Ole EnableDCOM N W32/Codbot-K may attempt to exploit a number of vulnerabilities, including the LSASS vulnerability (MS04-011). Patche for the operating system vulnerability exploited by W32/Codbot-K can be obtained from Microsoft at: http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx This IDE file also includes detection for: Troj/Sharp-F http://www.sophos.com/virusinfo/analyses/trojsharpf.html Troj/Dloader-LN http://www.sophos.com/virusinfo/analyses/trojdloaderln.html W32/Rbot-AAN http://www.sophos.com/virusinfo/analyses/w32rbotaan.html Troj/Nethief-M http://www.sophos.com/virusinfo/analyses/trojnethiefm.html Troj/AdClick-AN http://www.sophos.com/virusinfo/analyses/trojadclickan.html Troj/Dumaru-BA http://www.sophos.com/virusinfo/analyses/trojdumaruba.html Troj/QQRob-B http://www.sophos.com/virusinfo/analyses/trojqqrobb.html W32/Rbot-AAK http://www.sophos.com/virusinfo/analyses/w32rbotaak.html W32/Rbot-AZW http://www.sophos.com/virusinfo/analyses/w32rbotazw.html W32/Rbot-AAM http://www.sophos.com/virusinfo/analyses/w32rbotaam.html W32/Rbot-AAL http://www.sophos.com/virusinfo/analyses/w32rbotaal.html W32/Sdbot-WY http://www.sophos.com/virusinfo/analyses/w32sdbotwy.html Download the IDE file from: http://www.sophos.com/downloads/ide/codbot-k.ide Download all the IDE files available for the current version of Sophos Anti-Virus in a single compressed file. The file is available in two formats: Zip file: http://www.sophos.com/downloads/ide/ides.zip Self-extracting file: http://www.sophos.com/downloads/ide/ides.exe Read about how to use IDE files at http://www.sophos.com/downloads/ide/using.html *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member