From; Sophos Alert System: Name: W32/Cycle-A Type: Win32 worm Date: 18 May 2004 A virus identity (IDE) file which provides protection is available now from the Sophos website, and will be incorporated into the June 2004 (3.82) release of Sophos Anti-Virus. Customers using Enterprise Manager, PureMessage and any of the Sophos small business solutions will be automatically protected at their next scheduled update. At the time of writing, Sophos has received just one report of this worm from the wild. Information about W32/Cycle-A can be found at: http://www.sophos.com/virusinfo/analyses/w32cyclea.html Description W32/Cycle-A is a network worm which searches for unpatched computers on the Internet using randomly generated IP addresses. These computers are vulnerable to the LSASS buffer overrun exploit which can permit a remote attacker to gain administrator privileges on the local computer. For more information about this Windows vulnerability, please refer to the following Microsoft Security Bulletin: Microsoft Security Bulletin MS04-011. W32/Cycle-A will copy itself into the Windows System folder under the filename SVCHOST.EXE and create the following registry branches: HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HOST_SERVICE\ HKLM\SYSTEM\CurrentControlSet\Services\Host Service\ The second branch will contain the entry: ImagePath = C:\<Windows System\SVCHOST.EXE This will ensure that the worm is executed every time that the computer is restarted. W32/Cycle-A will run a TFTP server on UDP Port 69 and when any target computers have been accessed, it will execute a remote shell and attempt to download a copy of itself from the TFTP server onto the remote computer using the filename CYCLONE.EXE. This worm may then modify the following registry entry: Generic Host Service = C:\<Windows System>\SVCHOST.EXE Which may exist under the following registry branches on the target computer: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ W32/Cycle-A will also attempt to terminate processes associated with the W32/Blaster and W32/Sasser worms and may initiate a denial-of-service (DoS) attack against the following sites on the 18th May: www.irna.com www.bbc.com www.isna.com www.bbcnews.com W32/Cycle-A will drop the file C:\<Windows>\CYCLONE.TXT. This is a message containing statements about the political and social situation in Iran. Recovery Please follow the instructions for removing worms This IDE file also includes detection for: Troj/Killav-I http://www.sophos.com/virusinfo/analyses/trojkillavi.html Troj/Killav-BB http://www.sophos.com/virusinfo/analyses/trojkillavbb.html Troj/SennaSpy-E http://www.sophos.com/virusinfo/analyses/trojsennaspye.html Troj/Leniv-A http://www.sophos.com/virusinfo/analyses/trojleniva.html Troj/Small-R http://www.sophos.com/virusinfo/analyses/trojsmallr.html Troj/Servu-E http://www.sophos.com/virusinfo/analyses/trojservue.html W32/Gobot-B http://www.sophos.com/virusinfo/analyses/w32gobotb.html W32/Agobot-NH http://www.sophos.com/virusinfo/analyses/w32agobotnh.html Troj/Bamer-B http://www.sophos.com/virusinfo/analyses/trojbamerb.html Download the IDE file from: http://www.sophos.com/downloads/ide/cycle-a.ide Download all the IDE files available for the current version of Sophos Anti-Virus in a single compressed file. The file is available in two formats: Zip file: http://www.sophos.com/downloads/ide/ides.zip Self-extracting file: http://www.sophos.com/downloads/ide/ides.exe Read about how to use IDE files at http://www.sophos.com/downloads/ide/using.html *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member