From; Panada Sophos Alert System: Name: W32/Rbot-XW Type: Win32 worm Date: 15 March 2005 A virus identity (IDE) file which provides protection is available now from the Sophos website, and will be incorporated into the May 2005 (3.93) release of Sophos Anti-Virus. Customers using EM Library, PureMessage or any of our Sophos small business solutions will be automatically protected at their next scheduled update. At the time of writing, Sophos has received a small number of reports of this worm from the wild. Information about W32/Rbot-XW can be found at: http://www.sophos.com/virusinfo/analyses/w32rbotxw.html W32/Rbot-XW is a network worm and IRC backdoor Trojan for the Windows platform. W32/Rbot-XW spreads using a variety of techniques including exploiting weak passwords on computers and SQL servers, exploiting operating system vulnerabilities (including DCOM-RPC and LSASS). W32/Rbot-XW can be controlled by a remote attacker over IRC channels. The backdoor component of W32/Rbot-XW can be instructed by a remote user to perform the following functions: start an FTP server start a web server take part in distributed denial of service (DDoS) attacks log keypresses packet sniffing port scanning download/execute arbitrary files start a remote shell (RLOGIN) terminate processes The worm copies itself to a file named lsasss.exe in the Windows system folder and creates the following registry entries: HKLM\Software\Microsoft\Windows\CurrentVersion\Run System32 lsasss.exe HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices System32 lsasss.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Run System32 lsasss.exe Patches for the operating system vulnerabilities exploited by W32/Rbot-XW can be obtained from Microsoft at: http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx This IDE file also includes detection for: Troj/LegMir-AAZ http://www.sophos.com/virusinfo/analyses/trojlegmiraaz.html Troj/IRCBot-AB http://www.sophos.com/virusinfo/analyses/trojircbotab.html Troj/Mdrop-AS http://www.sophos.com/virusinfo/analyses/trojmdropas.html Troj/Rbot-XV http://www.sophos.com/virusinfo/analyses/trojrbotxv.html Troj/Dloader-JF http://www.sophos.com/virusinfo/analyses/trojdloaderjf.html W32/Codbot-S http://www.sophos.com/virusinfo/analyses/w32codbots.html Troj/Banker-BN http://www.sophos.com/virusinfo/analyses/trojbankerbn.html Troj/Bancban-BU http://www.sophos.com/virusinfo/analyses/trojbancbanbu.html Troj/Bancos-BP http://www.sophos.com/virusinfo/analyses/trojbancosbp.html Download the IDE file from: http://www.sophos.com/downloads/ide/rbotxw.ide Download all the IDE files available for the current version of Sophos Anti-Virus in a single compressed file. The file is available in two formats: Zip file: http://www.sophos.com/downloads/ide/ides.zip Self-extracting file: http://www.sophos.com/downloads/ide/ides.exe Read about how to use IDE files at http://www.sophos.com/downloads/ide/using.html *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member
