From; Sophos Alert System: Name: W32/Rbot-AAF Aliases: Backdoor.Win32.Rbot.nf, WORM_RBOT.BBP Type: Win32 worm Date: 7 April 2005 A virus identity (IDE) file which provides protection is available now from the Sophos website, and will be incorporated into the May 2005 (3.93) release of Sophos Anti-Virus. Customers using EM Library, PureMessage or any of our Sophos small business solutions will be automatically protected at their next scheduled update. At the time of writing, Sophos has received a small number of reports of this worm from the wild. Information about W32/Rbot-AAF can be found at: http://www.sophos.com/virusinfo/analyses/w32rbotaaf.html W32/Rbot-AAF is a network worm which attempts to spread via network shares. The worm contains backdoor functions that allows unauthorised remote access to the infected computer via IRC channels while running in the background. The worm spreads to network shares with weak passwords and also by using the LSASS security exploit (MS04-011), RPC-DCOM security exploit (MS03-039) and the WebDav security exploit (MS03-007). When run W32/Rbot-AAF moves itself to the Windows System folder as a hidden, read-only, system file named wuanguard32.exe. The worm then creates the following registry entries: HKCU\Software\Microsoft\OLE wuanguard wuanguard32.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices wuanguard wuanguard32.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run wuanguard wuanguard32.exe Once installed, W32/Rbot-AAF will attempt to partake in distributed denial of service (DDoS) attacks, download and run files from the internet, steal CD keys, log keystrokes and login to MS SQL servers and send EXEC commands to open a command shell when instructed to do so by a remote attacker. W32/Rbot-AAF may try to exploit backdoors and vulnerabilites used by the MyDoom family of worms. This IDE file also includes detection for: W32/Bropia-L http://www.sophos.com/virusinfo/analyses/w32bropial.html Troj/Multidr-DB http://www.sophos.com/virusinfo/analyses/trojmultidrdb.html Troj/Dropper-AF http://www.sophos.com/virusinfo/analyses/trojdropperaf.html W32/Rbot-AAD http://www.sophos.com/virusinfo/analyses/w32rbotaad.html Troj/Lineage-E http://www.sophos.com/virusinfo/analyses/trojlineagee.html Troj/Bancos-CB http://www.sophos.com/virusinfo/analyses/trojbancoscb.html Troj/LdPinch-AT http://www.sophos.com/virusinfo/analyses/trojldpinchat.html Download the IDE file from: http://www.sophos.com/downloads/ide/rbot-aaf.ide Download all the IDE files available for the current version of Sophos Anti-Virus in a single compressed file. The file is available in two formats: Zip file: http://www.sophos.com/downloads/ide/ides.zip Self-extracting file: http://www.sophos.com/downloads/ide/ides.exe Read about how to use IDE files at http://www.sophos.com/downloads/ide/using.html *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member