From; Sophos Alert System: Name: W32/Sdbot-XC Aliases: Backdoor.Win32.Agobot.abl, W32/Sdbot.worm.gen.w virus Type: Win32 worm Date: 14 April 2005 A virus identity (IDE) file which provides protection is available now from the Sophos website, and will be incorporated into the June 2005 (3.94) release of Sophos Anti-Virus. Customers using EM Library, PureMessage or any of our Sophos small business solutions will be automatically protected at their next scheduled update. At the time of writing, Sophos has received a small number of reports of this worm from the wild. Information about W32/Sdbot-XC can be found at: http://www.sophos.com/virusinfo/analyses/w32sdbotxc.html W32/Sdbot-XC is a network worm with backdoor functionality for the Windows platform. When first run, W32/Sdbot-XC copies itself to the Windows system folder as systeminfos.exe and creates the following registry entries in order to run each time a user logs on: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ Compaq Service Drivers systeminfos.exe HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\ Compaq Service Drivers systeminfos.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ Compaq Service Drivers systeminfos.exe HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices\ Compaq Service Drivers systeminfos.exe The worm spreads through network shares protected by weak passwords, MS-SQL servers and through various operating system vulnerabilities. W32/Sdbot-XC connects to a predetermined IRC channel and awaits further commands from remote users. The backdoor component of W32/Sdbot-XC can be instructed to perform the following functions: scan networks for vulnerabilities download/execute arbitrary files start an ftp server Patches for the vulnerabilities exploited by W32/Sdbot-XC can be obtained from Microsoft at: http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx http://www.microsoft.com/technet/security/bulletin/ms03-039.mspx W32/Sdbot-XC also drops a file to the current folder as msdirectx.sys. The dropped file is detected by Sophos's anti-virus products as Troj/NtRootK-F. W32/Sdbot-XC terminates a number of processes including ones related to various AV and security applications as well as TASKMGR.EXE and REGEDIT.EXE. This IDE file also includes detection for: Troj/Xrat-B http://www.sophos.com/virusinfo/analyses/trojxratb.html Troj/Xrat-A http://www.sophos.com/virusinfo/analyses/trojxrata.html W32/Sdbot-XB http://www.sophos.com/virusinfo/analyses/w32sdbotxb.html W32/Rbot-AAO http://www.sophos.com/virusinfo/analyses/w32rbotaao.html W32/Sdbot-XA http://www.sophos.com/virusinfo/analyses/w32sdbotxa.html Troj/WStart-C http://www.sophos.com/virusinfo/analyses/trojwstartc.html Troj/PurScan-Y http://www.sophos.com/virusinfo/analyses/trojpurscany.html Troj/QQRob-C http://www.sophos.com/virusinfo/analyses/trojqqrobc.html Troj/BDDelf-OJ http://www.sophos.com/virusinfo/analyses/trojbddelfoj.html Download the IDE file from: http://www.sophos.com/downloads/ide/sdbot-xc.ide Download all the IDE files available for the current version of Sophos Anti-Virus in a single compressed file. The file is available in two formats: Zip file: http://www.sophos.com/downloads/ide/ides.zip Self-extracting file: http://www.sophos.com/downloads/ide/ides.exe Read about how to use IDE files at http://www.sophos.com/downloads/ide/using.html *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member