From; Sophos Alert System: Name: W32/Rbot-YY Aliases: Backdoor.Win32.Rbot.lm Type: Win32 worm Date: 17 March 2005 A virus identity (IDE) file which provides protection is available now from the Sophos website, and will be incorporated into the May 2005 (3.93) release of Sophos Anti-Virus. Customers using EM Library, PureMessage or any of our Sophos small business solutions will be automatically protected at their next scheduled update. At the time of writing, Sophos has received no reports from users affected by this worm. However, we have issued this advisory following enquiries to our support department from customers. Information about W32/Rbot-YY can be found at: http://www.sophos.com/virusinfo/analyses/w32rbotyy.html W32/Rbot-YY is a network worm with backdoor Trojan functionality for the Windows platform. The worm copies itself to a file named dos.exe in the Windows system folder and creates the following registry entries: HKCU\Software\Microsoft\OLE WIN32 DDOSSER "dos.exe" HKLM\Software\Microsoft\Windows\CurrentVersion\Run WIN32 DDOSSER "dos.exe" HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices WIN32 DDOSSER "dos.exe" W32/Rbot-YY spreads using a variety of techniques including exploiting weak passwords on computers and SQL servers, exploiting operating system vulnerabilities (including DCOM-RPC, LSASS, WebDAV and UPNP) and using backdoors opened by other worms or Trojans. W32/Rbot-YY can be controlled by a remote attacker over IRC channels. The backdoor component of W32/Rbot-YY can be instructed by a remote user to perform the following functions: start an FTP server start a Proxy server start a web server take part in distributed denial of service (DDoS) attacks log keypresses capture screen/webcam images packet sniffing port scanning download/execute arbitrary files start a remote shell (RLOGIN) steal product registration information from certain software Patches for the operating system vulnerabilities exploited by W32/Rbot-YY can be obtained from Microsoft at: http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx http://www.microsoft.com/technet/security/bulletin/ms03-039.mspx http://www.microsoft.com/technet/security/bulletin/ms03-007.mspx http://www.microsoft.com/technet/security/bulletin/ms01-059.mspx This IDE file also includes detection for: Troj/Dloader-JO http://www.sophos.com/virusinfo/analyses/trojdloaderjo.html Troj/AdClick-AK http://www.sophos.com/virusinfo/analyses/trojadclickak.html W32/Kelvir-E http://www.sophos.com/virusinfo/analyses/w32kelvire.html Linux/Xone-A http://www.sophos.com/virusinfo/analyses/linuxxonea.html Troj/Rootkit-S http://www.sophos.com/virusinfo/analyses/trojrootkits.html Download the IDE file from: http://www.sophos.com/downloads/ide/rbot-yy.ide Download all the IDE files available for the current version of Sophos Anti-Virus in a single compressed file. The file is available in two formats: Zip file: http://www.sophos.com/downloads/ide/ides.zip Self-extracting file: http://www.sophos.com/downloads/ide/ides.exe Read about how to use IDE files at http://www.sophos.com/downloads/ide/using.html *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member