From; Sophos Alert System: Name: W32/Rbot-WX Aliases: Backdoor.Win32.IRCBot.y Type: Win32 worm Date: 6 March 2005 A virus identity (IDE) file which provides protection is available now from the Sophos website, and will be incorporated into the April 2005 (3.92) release of Sophos Anti-Virus. Customers using EM Library, PureMessage or any of our Sophos small business solutions will be automatically protected at their next scheduled update. At the time of writing, Sophos has received a small number of reports of this worm from the wild. Information about W32/Rbot-WX can be found at: http://www.sophos.com/virusinfo/analyses/w32rbotwx.html W32/Rbot-WX is a network worm and IRC backdoor Trojan for the Windows platform. W32/Rbot-WX spreads using a variety of techniques including exploiting weak passwords on computers and SQL servers, exploiting operating system vulnerabilities (including DCOM-RPC, LSASS, WebDAV and UPNP) and using backdoors opened by other worms or Trojans. W32/Rbot-WX can be controlled by a remote attacker over IRC channels. The backdoor component of W32/Rbot-WX can be instructed by a remote user to perform the following functions: start an FTP server start a Proxy server start a web server take part in distributed denial of service (DDoS) attacks log keypresses capture screen/webcam images packet sniffing port scanning download/execute arbitrary files start a remote shell (RLOGIN) The worm copies itself to a file named lsassx.exe in the Windows system folder and creates the following registry entries: HKCU\Software\Microsoft\OLE\ Windows Taskmanager= "lsassx.exe" HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ Windows Taskmanager= "lsassx.exe" HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\ Windows Taskmanager= "lsassx.exe" This IDE file also includes detection for: Troj/Small-EH http://www.sophos.com/virusinfo/analyses/trojsmalleh.html Troj/Banker-BK http://www.sophos.com/virusinfo/analyses/trojbankerbk.html Troj/Nolram-A http://www.sophos.com/virusinfo/analyses/trojnolrama.html Troj/Banker-BL http://www.sophos.com/virusinfo/analyses/trojbankerbl.html Troj/Goldun-Q http://www.sophos.com/virusinfo/analyses/trojgoldunq.html Troj/Bancos-BL http://www.sophos.com/virusinfo/analyses/trojbancosbl.html Troj/Roneve-A http://www.sophos.com/virusinfo/analyses/trojronevea.html W32/Codbot-I http://www.sophos.com/virusinfo/analyses/w32codboti.html W32/Bropia-K http://www.sophos.com/virusinfo/analyses/w32bropiak.html Troj/Goldun-P http://www.sophos.com/virusinfo/analyses/trojgoldunp.html Download the IDE file from: http://www.sophos.com/downloads/ide/rbot-wx.ide Download all the IDE files available for the current version of Sophos Anti-Virus in a single compressed file. The file is available in two formats: Zip file: http://www.sophos.com/downloads/ide/ides.zip Self-extracting file: http://www.sophos.com/downloads/ide/ides.exe Read about how to use IDE files at http://www.sophos.com/downloads/ide/using.html *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member
