From; Sophos Alert System: Name: W32/Kassbot-C Aliases: Backdoor.Win32.Delf.yo, BackDoor-CPV Type: Win32 worm Date: 29 April 2005 A virus identity (IDE) file which provides protection is available now from the Sophos website, and will be incorporated into the June 2005 (3.94) release of Sophos Anti-Virus. Customers using EM Library, PureMessage or any of our Sophos small business solutions will be automatically protected at their next scheduled update. At the time of writing, Sophos has received no reports from users affected by this worm. However, we have issued this advisory following enquiries to our support department from customers. Information about W32/Kassbot-C can be found at: http://www.sophos.com/virusinfo/analyses/w32kassbotc.html W32/Kassbot-C is a network worm with a backdoor component. When run the worm will copy itself to the Windows system folder as spools.exe. W32/Kassbot-C will set the following registry entry in order to run automatically each time a user logs in: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Spools Service Controller %SYSTEM%\spools.exe W32/Kassbot-C will send an email to a pre-defined email address containing system information from the infected computer. W32/Kassbot-C will monitor a user's internet access. When certain internet banking and finance sites are accessed, the worm will redirect the user to a Russian website with fake login pages or email the stolen details to a Russian email address. The banking sites include the following: LloydsTSB NatWest HSBC Barclays Halifax Citibank NetBank EzyBank Bank One Australia W32/Kassbot-C will attempt to spread by exploiting the following vulnerabilities: LSASS (MS04-011 ). DCOM (MS04-012 ). W32/Kassbot-C will connect to an IRC server and provide backdoor access to the infected computer. W32/Kassbot-C will drop and load a DLL named XEE32.DLL. This file is also detected as W32/Kassbot-C. W32/Kassbot-C will drop a non-malicious file in the Windows system folder named xbccd.log. This file may just be deleted. W32/Kassbot-C will append the following lines to the HOSTS file in an attempt to block access to anti-virus related websites: 17.145.117.11 d-ru-1f.kaspersky-labs.com 17.145.117.11 d-ru-1h.kaspersky-labs.com 17.145.117.11 d-ru-2f.kaspersky-labs.com 17.145.117.11 d-ru-2h.kaspersky-labs.com 17.145.117.11 d-eu-2f.kaspersky-labs.com 17.145.117.11 d-eu-2h.kaspersky-labs.com 17.145.117.11 d-eu-1f.kaspersky-labs.com 17.145.117.11 d-eu-1h.kaspersky-labs.com 17.145.117.11 d-us-1f.kaspersky-labs.com 17.145.117.11 d-us-1h.kaspersky-labs.com 17.145.117.11 downloads1.kaspersky.ru 17.145.117.11 downloads2.kaspersky.ru 17.145.117.11 downloads3.kaspersky.ru 17.145.117.11 downloads4.kaspersky.ru 17.145.117.11 downloads5.kaspersky.ru 17.145.117.11 www.kaspersky.ru 17.145.117.11 kaspersky.ru 17.145.117.11 kaspersky-labs.com 17.145.117.11 www.kaspersky-labs.com This IDE file also includes detection for: W32/Rbot-ABI http://www.sophos.com/virusinfo/analyses/w32rbotabi.html W32/Sdbot-XN http://www.sophos.com/virusinfo/analyses/w32sdbotxn.html W32/Agobot-RT http://www.sophos.com/virusinfo/analyses/w32agobotrt.html Troj/Dloader-MV http://www.sophos.com/virusinfo/analyses/trojdloadermv.html Troj/Qdown-B http://www.sophos.com/virusinfo/analyses/trojqdownb.html Troj/Goldun-S http://www.sophos.com/virusinfo/analyses/trojgolduns.html Troj/StartPa-FU http://www.sophos.com/virusinfo/analyses/trojstartpafu.html W32/Crowt-D http://www.sophos.com/virusinfo/analyses/w32crowtd.html Download the IDE file from: http://www.sophos.com/downloads/ide/kassbotc.ide Download all the IDE files available for the current version of Sophos Anti-Virus in a single compressed file. The file is available in two formats: Zip file: http://www.sophos.com/downloads/ide/ides.zip Self-extracting file: http://www.sophos.com/downloads/ide/ides.exe Read about how to use IDE files at http://www.sophos.com/downloads/ide/using.html *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member