[virusinfo] W32/Rbot-AAF
- From: "Mike" <mikebike@xxxxxxxxx>
- To: virusinfo@xxxxxxxxxxxxx
- Date: Thu, 07 Apr 2005 09:20:28 -0700
From; Sophos Alert System:
Name: W32/Rbot-AAF
Aliases: Backdoor.Win32.Rbot.nf, WORM_RBOT.BBP
Type: Win32 worm
Date: 7 April 2005
A virus identity (IDE) file which provides protection is
available now from the Sophos website, and will be incorporated
into the May 2005 (3.93) release of Sophos Anti-Virus.
Customers using EM Library, PureMessage or any of our Sophos
small business solutions will be automatically protected at
their next scheduled update.
At the time of writing, Sophos has received a small number of
reports of this worm from the wild.
Information about W32/Rbot-AAF can be found at:
http://www.sophos.com/virusinfo/analyses/w32rbotaaf.html
W32/Rbot-AAF is a network worm which attempts to spread via network shares. The
worm contains backdoor functions that allows unauthorised remote access to the
infected computer via IRC channels while running in the background.
The worm spreads to network shares with weak passwords and also by using the
LSASS security exploit (MS04-011), RPC-DCOM security exploit (MS03-039) and the
WebDav security exploit (MS03-007).
When run W32/Rbot-AAF moves itself to the Windows System folder as a hidden,
read-only, system file named wuanguard32.exe.
The worm then creates the following registry entries:
HKCU\Software\Microsoft\OLE
wuanguard
wuanguard32.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
wuanguard
wuanguard32.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
wuanguard
wuanguard32.exe
Once installed, W32/Rbot-AAF will attempt to partake in distributed denial of
service (DDoS) attacks, download and run files from the internet, steal CD
keys, log keystrokes and login to MS SQL servers and send EXEC commands to open
a command shell when instructed to do so by a remote attacker.
W32/Rbot-AAF may try to exploit backdoors and vulnerabilites used by the MyDoom
family of worms.
This IDE file also includes detection for:
W32/Bropia-L
http://www.sophos.com/virusinfo/analyses/w32bropial.html
Troj/Multidr-DB
http://www.sophos.com/virusinfo/analyses/trojmultidrdb.html
Troj/Dropper-AF
http://www.sophos.com/virusinfo/analyses/trojdropperaf.html
W32/Rbot-AAD
http://www.sophos.com/virusinfo/analyses/w32rbotaad.html
Troj/Lineage-E
http://www.sophos.com/virusinfo/analyses/trojlineagee.html
Troj/Bancos-CB
http://www.sophos.com/virusinfo/analyses/trojbancoscb.html
Troj/LdPinch-AT
http://www.sophos.com/virusinfo/analyses/trojldpinchat.html
Download the IDE file from:
http://www.sophos.com/downloads/ide/rbot-aaf.ide
Download all the IDE files available for the current version of
Sophos Anti-Virus in a single compressed file. The file is
available in two formats:
Zip file:
http://www.sophos.com/downloads/ide/ides.zip
Self-extracting file:
http://www.sophos.com/downloads/ide/ides.exe
Read about how to use IDE files at
http://www.sophos.com/downloads/ide/using.html
*********** MIKE"S REPLY SEPARATOR ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance and OWTA Charter Member
Other related posts:
- » [virusinfo] W32/Rbot-AAF
