From; Sophos Alert System: Name: W32/Rbot-AAJ Aliases: Backdoor.Win32.Rbot.gen Type: Win32 worm Date: 12 April 2005 A virus identity (IDE) file which provides protection is available now from the Sophos website, and will be incorporated into the June 2005 (3.94) release of Sophos Anti-Virus. Customers using EM Library, PureMessage or any of our Sophos small business solutions will be automatically protected at their next scheduled update. At the time of writing, Sophos has received a small number of reports of this worm from the wild. Information about W32/Rbot-AAJ can be found at: http://www.sophos.com/virusinfo/analyses/w32rbotaaj.html W32/Rbot-AAJ is a worm with backdoor Trojan functionality. W32/Rbot-AAJ is capable of spreading to computers on the local network protected by weak passwords after receiving the appropriate backdoor command. W32/Rbot-AAJ will attempt to spread by exploiting the following vulnerabilities: DCOM (MS04-012) LSASS (MS04-011) Microsoft SQL servers with weak passwords When first run, W32/Rbot-AAJ moves itself to the Windows system folder as WINTSK32DLL.EXE. In order to run automatically each time a user logs in, W32/Rbot-AAJ will set the following registry entries: HKLM\Software\Microsoft\Windows\CurrentVersion\Run wintsk32dll wintsk32dll.exe HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices wintsk32dll wintsk32dll.exe W32/Rbot-AAJ will also set the following registry entry: HKCU\Software\Microsoft\OLE wintsk32dll wintsk32dll.exe The worm runs continuously in the background, providing backdoor access to the infected computer over IRC channels. W32/Rbot-AAJ may modify the following registry entries in order to enable/disable DCOM and open/close restrictions on IPC$ shares: HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous This IDE file also includes detection for: Troj/Dropper-AT http://www.sophos.com/virusinfo/analyses/trojdropperat.html Troj/SCKeyLog-C http://www.sophos.com/virusinfo/analyses/trojsckeylogc.html Troj/Small-EF http://www.sophos.com/virusinfo/analyses/trojsmallef.html Troj/Dloader-LI http://www.sophos.com/virusinfo/analyses/trojdloaderli.html Troj/Bancos-CC http://www.sophos.com/virusinfo/analyses/trojbancoscc.html Troj/Psyme-BQ http://www.sophos.com/virusinfo/analyses/trojpsymebq.html Troj/Dloader-LH http://www.sophos.com/virusinfo/analyses/trojdloaderlh.html Troj/Ablank-R http://www.sophos.com/virusinfo/analyses/trojablankr.html Troj/LegMir-AC http://www.sophos.com/virusinfo/analyses/trojlegmirac.html Troj/Multidr-DF http://www.sophos.com/virusinfo/analyses/trojmultidrdf.html Troj/Multidr-DG http://www.sophos.com/virusinfo/analyses/trojmultidrdg.html W32/Rbot-AAH http://www.sophos.com/virusinfo/analyses/w32rbotaah.html W32/Rbot-AAI http://www.sophos.com/virusinfo/analyses/w32rbotaai.html Download the IDE file from: http://www.sophos.com/downloads/ide/rbot-aaj.ide Download all the IDE files available for the current version of Sophos Anti-Virus in a single compressed file. The file is available in two formats: Zip file: http://www.sophos.com/downloads/ide/ides.zip Self-extracting file: http://www.sophos.com/downloads/ide/ides.exe Read about how to use IDE files at http://www.sophos.com/downloads/ide/using.html *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member
