FRom; Sophos Alert System: Name: W32/Rbot-XM Aliases: Backdoor.Win32.Rbot.gen Type: Win32 worm Date: 11 March 2005 A virus identity (IDE) file which provides protection is available now from the Sophos website, and will be incorporated into the May 2005 (3.93) release of Sophos Anti-Virus. Customers using EM Library, PureMessage or any of our Sophos small business solutions will be automatically protected at their next scheduled update. At the time of writing, Sophos has received a small number of reports of this worm from the wild. Information about W32/Rbot-XM can be found at: http://www.sophos.com/virusinfo/analyses/w32rbotxm.html W32/Rbot-XM is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels. W32/Rbot-XM spreads to network shares with weak passwords and via network security exploits as a result of the backdoor Trojan element receiving the appropriate command from a remote user. W32/Rbot-XM copies itself to the Windows system folder as CMD16.EXE and creates entries at the following locations in the registry with the value "Dynamic Dns Binary" so as to run itself on system startup, resetting these values every minute: HKLM\Software\Microsoft\Windows\CurrentVersion\Run HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices HKCU\Software\Microsoft\Windows\CurrentVersion\Run W32/Rbot-XM attempts to set the following registry entries every 2 minutes: HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM = "N" HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous = "1" W32/Rbot-XM attempts to delete network shares on the host computer every 2 minutes. W32/Rbot-XM attempts to terminate a number of processes related to security and anti-virus programs including REGEDIT.EXE, MSCONFIG.EXE and NETSTAT.EXE. W32/Rbot-XM may attempt to log keystrokes to the file WINKEYCFG32.TXT in the Windows system folder. This IDE file also includes detection for: Troj/Multidr-CL http://www.sophos.com/virusinfo/analyses/trojmultidrcl.html Troj/Vipgsm-AA http://www.sophos.com/virusinfo/analyses/trojvipgsmaa.html W32/Diaper-A http://www.sophos.com/virusinfo/analyses/w32diapera.html Troj/Dloader-KM http://www.sophos.com/virusinfo/analyses/trojdloaderkm.html Troj/Dloader-JC http://www.sophos.com/virusinfo/analyses/trojdloaderjc.html Troj/Bancos-BN http://www.sophos.com/virusinfo/analyses/trojbancosbn.html W32/Rbot-XP http://www.sophos.com/virusinfo/analyses/w32rbotxp.html Download the IDE file from: http://www.sophos.com/downloads/ide/rbot-xm.ide Download all the IDE files available for the current version of Sophos Anti-Virus in a single compressed file. The file is available in two formats: Zip file: http://www.sophos.com/downloads/ide/ides.zip Self-extracting file: http://www.sophos.com/downloads/ide/ides.exe Read about how to use IDE files at http://www.sophos.com/downloads/ide/using.html *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member
