From; Sophos Alert System: Name: W32/Forbot-EP Aliases: Backdoor.Win32.Wootbot.gen Type: Win32 worm Date: 5 March 2005 A virus identity (IDE) file which provides protection is available now from the Sophos website, and will be incorporated into the April 2005 (3.92) release of Sophos Anti-Virus. Customers using EM Library, PureMessage or any of our Sophos small business solutions will be automatically protected at their next scheduled update. At the time of writing, Sophos has received a small number of reports of this worm from the wild. Information about W32/Forbot-EP can be found at: http://www.sophos.com/virusinfo/analyses/w32forbotep.html W32/Forbot-EP is a worm which attempts to spread to remote network shares and computers vulnerable to common exploits. W32/Forbot-EP also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via the IRC network, while running in the background as a service process. W32/Forbot-EP connects to a preconfigured IRC channel and awaits commands from a remote intruder. These include commands to steal information, delete network shares, reduce system security, start a proxy server, participate in DDoS attacks, exploit vulnerabilities, steal registration keys for computer games and harvest email addresses from the Windows address book and Instant Messenger configuration files. W32/Forbot-EP copies itself to the Windows system folder and creates the following registry entries to run itself automatically on log-on: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ Windows Domain Name Drivers = windns.exe HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\ Windows Domain Name Drivers = windns.exe HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\ Windows Domain Name Drivers = windns.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ Windows Domain Name Drivers = windns.exe HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\ Windows Domain Name Drivers = windns.exe On NT based versions of Windows (XP,2000,NT) windns.exe is run as a new service named "IEXPLORER-Drivers" with a display name of "Windows Domain Name Drivers". New registry entries are created under: HKLM\SYSTEM\CurrentControlSet\Services\IEXPLORER-Drivers This IDE file also includes detection for: W32/Kipis-J http://www.sophos.com/virusinfo/analyses/w32kipisj.html W32/Codbot-H http://www.sophos.com/virusinfo/analyses/w32codboth.html W32/Agobot-AMI http://www.sophos.com/virusinfo/analyses/w32agobotami.html Troj/LowZone-Q http://www.sophos.com/virusinfo/analyses/trojlowzoneq.html Troj/Bancban-BR http://www.sophos.com/virusinfo/analyses/trojbancbanbr.html Troj/Borodldr-A http://www.sophos.com/virusinfo/analyses/trojborodldra.html Troj/Bancos-BJ http://www.sophos.com/virusinfo/analyses/trojbancosbj.html Troj/Padodor-X http://www.sophos.com/virusinfo/analyses/trojpadodorx.html Troj/Hexem-A http://www.sophos.com/virusinfo/analyses/trojhexema.html Download the IDE file from: http://www.sophos.com/downloads/ide/forbotep.ide Download all the IDE files available for the current version of Sophos Anti-Virus in a single compressed file. The file is available in two formats: Zip file: http://www.sophos.com/downloads/ide/ides.zip Self-extracting file: http://www.sophos.com/downloads/ide/ides.exe Read about how to use IDE files at http://www.sophos.com/downloads/ide/using.html *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member