From; Sophos Alert System: Name: W32/Sdbot-WM Aliases: Backdoor.Win32.SdBot.un Type: Win32 worm Date: 25 April 2005 A virus identity (IDE) file which provides protection is available now from the Sophos website, and will be incorporated into the June 2005 (3.94) release of Sophos Anti-Virus. Customers using EM Library, PureMessage or any of our Sophos small business solutions will be automatically protected at their next scheduled update. At the time of writing, Sophos has received a small number of reports of this worm from the wild. Note: The IDE issued for W32/Sdbot-WM at 29 March 2005 13:16:33 (GMT) also contained detection for Troj/Zapchas-F, Troj/Small-DV and Troj/Servu-AR. This IDE has now been updated to enhance detection of Troj/Zapchas-F. Information about W32/Sdbot-WM can be found at: http://www.sophos.com/virusinfo/analyses/w32sdbotwm.html W32/Sdbot-WM is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels. W32/Sdbot-WM attempts to spread to network shares with weak passwords. W32/Sdbot-WM copies itself to the Windows system folder as MSNMSGR.EXE and creates entries at the following locations in the registry with the value "Microsoft Windows Update" so as to run itself on system startup: HKLM\Software\Microsoft\Windows\CurrentVersion\Run HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices HKCU\Software\Microsoft\Windows\CurrentVersion\Run W32/Sdbot-WM may attempt to send a message via certain instant messenger programs to encourage users to download a file from the website http://kasized.com. At the time of writing this file was unavailable for download. W32/Sdbot-WM may set the following registry entry: HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM = "N" W32/Sdbot-WM may attempt to delete network shares on the host computer. W32/Sdbot-WM may attempt to log keystrokes to the file KEYLOG.TXT in the Windows system folder. W32/Sdbot-WM also copies itself to the filename MSNCFG.DAT and may also copy itself to the filename PAYLOAD.DAT. This IDE file also includes detection for: Troj/Zapchas-F http://www.sophos.com/virusinfo/analyses/trojzapchasf.html Troj/Small-DV http://www.sophos.com/virusinfo/analyses/trojsmalldv.html Troj/Servu-AR http://www.sophos.com/virusinfo/analyses/trojservuar.html Download the IDE file from: http://www.sophos.com/downloads/ide/sdbot-wm.ide Download all the IDE files available for the current version of Sophos Anti-Virus in a single compressed file. The file is available in two formats: Zip file: http://www.sophos.com/downloads/ide/ides.zip Self-extracting file: http://www.sophos.com/downloads/ide/ides.exe Read about how to use IDE files at http://www.sophos.com/downloads/ide/using.html *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member