From; Sophos Alert System: Name: W32/Rbot-AAG Aliases: WORM_SDBOT.ANJ, W32.Spybot.Worm, W32/Sdbot.worm.gen.g Type: Win32 worm Date: 7 April 2005 A virus identity (IDE) file which provides protection is available now from the Sophos website, and will be incorporated into the June 2005 (3.94) release of Sophos Anti-Virus. Customers using EM Library, PureMessage or any of our Sophos small business solutions will be automatically protected at their next scheduled update. At the time of writing, Sophos has received a small number of reports of this worm from the wild. Information about W32/Rbot-AAG can be found at: http://www.sophos.com/virusinfo/analyses/w32rbotaag.html W32/Rbot-AAG is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels. W32/Rbot-AAG spreads to network shares with weak passwords and via network security exploits as a result of the backdoor Trojan element receiving the appropriate command from a remote user. W32/Rbot-AAG copies itself to the Windows system folder with the filename NTOKSRNL.EXE and creates entries at the following locations in the registry with the value "NT Service" so as to run itself on system startup, resetting these values multiple times every minute: HKLM\Software\Microsoft\Windows\CurrentVersion\Run HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices W32/Rbot-AAG also sets the following registry entry with the same value to point to itself: HKCU\Software\Microsoft\OLE W32/Rbot-AAG attempts to set the following registry entries every 2 minutes: HKLM\Software\Microsoft\OLE EnableDCOM "N" HKLM\System\CurrentControlSet\Control\Lsa restrictanonymous "1" W32/Rbot-AAG attempts to delete network shares on the host computer every 2 minutes. W32/Rbot-AAG attempts to terminate a number of processes related to security and anti-virus programs including REGEDIT.EXE, MSCONFIG.EXE and NETSTAT.EXE. W32/Rbot-AAG may attempt to log keystrokes to the file K.DAT in the Windows system folder. This IDE file also includes detection for: Troj/Dumaru-AQ http://www.sophos.com/virusinfo/analyses/trojdumaruaq.html Troj/Banker-MF http://www.sophos.com/virusinfo/analyses/trojbankermf.html Troj/Borodldr-F http://www.sophos.com/virusinfo/analyses/trojborodldrf.html Troj/Dloader-LE http://www.sophos.com/virusinfo/analyses/trojdloaderle.html W32/Myfip-L http://www.sophos.com/virusinfo/analyses/w32myfipl.html W32/Rbot-ZX http://www.sophos.com/virusinfo/analyses/w32rbotzx.html Troj/Bdoor-CPE http://www.sophos.com/virusinfo/analyses/trojbdoorcpe.html Download the IDE file from: http://www.sophos.com/downloads/ide/rbot-aag.ide Download all the IDE files available for the current version of Sophos Anti-Virus in a single compressed file. The file is available in two formats: Zip file: http://www.sophos.com/downloads/ide/ides.zip Self-extracting file: http://www.sophos.com/downloads/ide/ides.exe Read about how to use IDE files at http://www.sophos.com/downloads/ide/using.html *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member