From; Sophos Alert System: Name: W32/Rbot-AAC Type: Win32 worm Date: 6 April 2005 A virus identity (IDE) file which provides protection is available now from the Sophos website, and will be incorporated into the May 2005 (3.93) release of Sophos Anti-Virus. Customers using EM Library, PureMessage or any of our Sophos small business solutions will be automatically protected at their next scheduled update. At the time of writing, Sophos has received a small number of reports of this worm from the wild. Information about W32/Rbot-AAC can be found at: http://www.sophos.com/virusinfo/analyses/w32rbotaac.html W32/Rbot-AAC is a network worm which attempts to spread via network shares. The worm contains backdoor functions that allows unauthorised remote access to the infected computer via IRC channels while running in the background. The worm spreads to network shares with weak passwords and also by using the RPC-DCOM security exploit (MS03-039). When run W32/Rbot-AAC moves itself to the Windows System folder as a hidden, read-only, system file named msnmsgs.exe. The worm then copies itself to the following filenames: C:\eminem vs 2pac.scr C:\funny pic.scr C:\photo album.scr The above 3 files have their read-only, hidden, system and archive file attributes set. W32/Rbot-AAC then creates the following registry entries so as to run itself on computer logon: HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices MSN MESSENGER msnmsgs.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Run MSN MESSENGER msnmsgs.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices MSN MESSENGER msnmsgs.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MSN MESSENGER msnmsgs.exe The worm also creates the following registry entries: HKCU\SYSTEM\CurrentControlSet\Control\Lsa MSN MESSENGER msnmsgs.exe HKCU\Software\Microsoft\Ole MSN MESSENGER msnmsgs.exe HKLM\SYSTEM\CurrentControlSet\Control\Lsa MSN MESSENGER msnmsgs.exe HKLM\SOFTWARE\Microsoft\Ole MSN MESSENGER msnmsgs.exe The worm changes the following registry entry as follows: from: HKLM\SOFTWARE\Microsoft\Ole EnableDCOM Y to: HKLM\SOFTWARE\Microsoft\Ole EnableDCOM N from: HKLM\SYSTEM\CurrentControlSet\Control\Lsa restrictanonymous dword:00000000 to: HKLM\SYSTEM\CurrentControlSet\Control\Lsa restrictanonymous dword:00000001 Once installed, W32/Rbot-AAC will attempt to perform the following actions when instructed to do so by a remote attacker: scan ports create an HTTPD server create a SOCKS4 server participate in distributed denial of service (DDoS) attacks download and run files from the Internet log keystrokes to the file %SYSTEM%\keys.txt capture clipboard information terminates anti-virus, security and Windows applications and processes The worm also prevents accesses to anti-virus and security related websites by appending the HOSTS file in the %SYSTEM%\drivers\etc folder with the following mappings: 127.0.0.1 www.symantec.com 127.0.0.1 securityresponse.symantec.com 127.0.0.1 symantec.com 127.0.0.1 www.sophos.com 127.0.0.1 sophos.com 127.0.0.1 www.mcafee.com 127.0.0.1 mcafee.com 127.0.0.1 liveupdate.symantecliveupdate.com 127.0.0.1 www.viruslist.com 127.0.0.1 viruslist.com 127.0.0.1 viruslist.com 127.0.0.1 f-secure.com 127.0.0.1 www.f-secure.com 127.0.0.1 kaspersky.com 127.0.0.1 www.avp.com 127.0.0.1 www.kaspersky.com 127.0.0.1 avp.com 127.0.0.1 www.networkassociates.com 127.0.0.1 networkassociates.com 127.0.0.1 www.ca.com 127.0.0.1 ca.com 127.0.0.1 mast.mcafee.com 127.0.0.1 my-etrust.com 127.0.0.1 www.my-etrust.com 127.0.0.1 download.mcafee.com 127.0.0.1 dispatch.mcafee.com 127.0.0.1 secure.nai.com 127.0.0.1 nai.com 127.0.0.1 www.nai.com 127.0.0.1 update.symantec.com 127.0.0.1 updates.symantec.com 127.0.0.1 us.mcafee.com 127.0.0.1 liveupdate.symantec.com 127.0.0.1 customer.symantec.com 127.0.0.1 rads.mcafee.com 127.0.0.1 trendmicro.com 127.0.0.1 www.microsoft.com 127.0.0.1 www.trendmicro.com This IDE file also includes detection for: Troj/Banker-MA http://www.sophos.com/virusinfo/analyses/trojbankerma.html Troj/Bancos-BZ http://www.sophos.com/virusinfo/analyses/trojbancosbz.html Troj/StartPa-FO http://www.sophos.com/virusinfo/analyses/trojstartpafo.html Troj/Bancos-CA http://www.sophos.com/virusinfo/analyses/trojbancosca.html W32/Rbot-AAB http://www.sophos.com/virusinfo/analyses/w32rbotaab.html Troj/Dloader-LB http://www.sophos.com/virusinfo/analyses/trojdloaderlb.html Troj/Mirchack-F http://www.sophos.com/virusinfo/analyses/trojmirchackf.html Troj/Haxdor-Gen http://www.sophos.com/virusinfo/analyses/trojhaxdorgen.html Download the IDE file from: http://www.sophos.com/downloads/ide/rbot-aac.ide Download all the IDE files available for the current version of Sophos Anti-Virus in a single compressed file. The file is available in two formats: Zip file: http://www.sophos.com/downloads/ide/ides.zip Self-extracting file: http://www.sophos.com/downloads/ide/ides.exe Read about how to use IDE files at http://www.sophos.com/downloads/ide/using.html *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member