From; Sophos Alert System: Name: W32/Sdbot-WK Type: Win32 worm Date: 28 March 2005 A virus identity (IDE) file which provides protection is available now from the Sophos website, and will be incorporated into the May 2005 (3.93) release of Sophos Anti-Virus. Customers using EM Library, PureMessage or any of our Sophos small business solutions will be automatically protected at their next scheduled update. At the time of writing, Sophos has received a small number of reports of this worm from the wild. Information about W32/Sdbot-WK can be found at: http://www.sophos.com/virusinfo/analyses/w32sdbotwk.html W32/Sdbot-WK is a network worm with backdoor functionality for the Windows platform. W32/Sdbot-WK is capable of spreading to computers on the local network protected by weak passwords after receiving the appropriate backdoor command. W32/Sdbot-WK will also attempt to spread by exploiting the following vulnerabilities: RPC DCOM (MS03-026, MS03-039, MS04-012) LSASS (MS04-011) WorKStation service (MS03-049) Microsoft SQL Server 2000 (pre service pack 3) (CAN-2002-0649) Microsoft SQL servers with weak passwords When first run, W32/Sdbot-WK moves itself to the Windows system folder as PC.EXE. In order to run automatically each time a user logs on, W32/Sdbot-WK will set the following registry entries: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Service Drivers PC.EXE HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices Service Drivers PC.EXE HKLM\Software\Microsoft\Windows\CurrentVersion\Run Service Drivers PC.EXE HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices Service Drivers PC.EXE W32/Sdbot-WK will attempt to stealth itself by dropping and running a file named MSDIRECTX.SYS. This file runs as a service named "msdirectx" and is detected as Troj/NtRootK-F. W32/Sdbot-WK runs continuously in the background, providing backdoor access to the infected computer over IRC channels. W32/Sdbot-WK will modify the following registry entries in order to disable DCOM and close restrictions on IPC$ shares: HKLM\SOFTWARE\Microsoft\Ole EnableDCOM N HKLM\SYSTEM\CurrentControlSet\Control\Lsa restrictanonymous 1 W32/Sdbot-WK will attempt to disable the Windows Internet Connection Firewall and Automatic Updates by modifying the following registry entries: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Start HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\Start W32/Sdbot-WK can add and delete network shares and users on the infected computer. W32/Sdbot-WK may modify the HOSTS file found in the %SYSTEM%\driver\etc folder in order to deny access to certain anti-virus websites. For example, 127.0.0.1 www.sophos.com 127.0.0.1 sophos.com W32/Sdbot-WK will attempt to terminate a large number of security and anti-virus related processes. This IDE file also includes detection for: Troj/Agent-CR http://www.sophos.com/virusinfo/analyses/trojagentcr.html Troj/Spybot-DM http://www.sophos.com/virusinfo/analyses/trojspybotdm.html Troj/Bdoor-FX http://www.sophos.com/virusinfo/analyses/trojbdoorfx.html Troj/Dluca-DN http://www.sophos.com/virusinfo/analyses/trojdlucadn.html Troj/Certif-D http://www.sophos.com/virusinfo/analyses/trojcertifd.html Troj/Dloader-KC http://www.sophos.com/virusinfo/analyses/trojdloaderkc.html Troj/Banker-MO http://www.sophos.com/virusinfo/analyses/trojbankermo.html Download the IDE file from: http://www.sophos.com/downloads/ide/sdbot-wk.ide Download all the IDE files available for the current version of Sophos Anti-Virus in a single compressed file. The file is available in two formats: Zip file: http://www.sophos.com/downloads/ide/ides.zip Self-extracting file: http://www.sophos.com/downloads/ide/ides.exe Read about how to use IDE files at http://www.sophos.com/downloads/ide/using.html *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member