From; Sophos Alert System: Name: W32/Rbot-XE Type: Win32 worm Date: 9 March 2005 A virus identity (IDE) file which provides protection is available now from the Sophos website, and will be incorporated into the April 2005 (3.92) release of Sophos Anti-Virus. Customers using EM Library, PureMessage or any of our Sophos small business solutions will be automatically protected at their next scheduled update. At the time of writing, Sophos has received a small number of reports of this worm from the wild. Information about W32/Rbot-XE can be found at: http://www.sophos.com/virusinfo/analyses/w32rbotxe.html W32/Rbot-XE is a network worm with a backdoor functionality for the Windows platform that allows unauthorised remote access to the infected computer via IRC channels while running in the background as a service process. W32/Rbot-XE spreads to the weakly protected network shares and via network security exploits as a result of the backdoor Trojan element receiving the appropriate command from a remote user. Once executed W32/Rbot-XE copies itself to the Windows system folder with the filename mcafee32.exe, and in order to be able to run automatically when Windows starts up sets the registry entry: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell Explorer.exe mcafee32.exe W32/Rbot-XE also may set the following registry entries: HKLM\SOFTWARE\Microsoft\Ole EnableDCOM N HKLM\SYSTEM\CurrentControlSet\Control\Lsa restrictanonymous 1 W32/Rbot-XE may modify the following registry entry to restrict anonymous enumeration of SAM accounts: HKLM\SYSTEM\CurrentControlSet\Control\Lsa restrictanonymousSAM W32/Rbot-XE can add and delete network shares and users on the infected computer. The worm can also change the network logon rights of accounts in the local system policy. W32/Rbot-XE may change the security settings of Microsoft Internet Explorer by modifying entries in the registry at the following location: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 This IDE file also includes detection for: Troj/Mdrop-AN http://www.sophos.com/virusinfo/analyses/trojmdropan.html Troj/Multidr-CJ http://www.sophos.com/virusinfo/analyses/trojmultidrcj.html Troj/Multidr-CI http://www.sophos.com/virusinfo/analyses/trojmultidrci.html Troj/MircKit-A http://www.sophos.com/virusinfo/analyses/trojmirckita.html Troj/Multidr-CH http://www.sophos.com/virusinfo/analyses/trojmultidrch.html Troj/Prutec-D http://www.sophos.com/virusinfo/analyses/trojprutecd.html Troj/Istbar-AP http://www.sophos.com/virusinfo/analyses/trojistbarap.html Download the IDE file from: http://www.sophos.com/downloads/ide/rbotxe.ide Download all the IDE files available for the current version of Sophos Anti-Virus in a single compressed file. The file is available in two formats: Zip file: http://www.sophos.com/downloads/ide/ides.zip Self-extracting file: http://www.sophos.com/downloads/ide/ides.exe Read about how to use IDE files at http://www.sophos.com/downloads/ide/using.html *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member
