From; Sophos Alert System: Name: W32/Stubbot-A Aliases: Backdoor.Win32.Stub.b Type: Win32 worm Date: 1 April 2005 A virus identity (IDE) file which provides protection is available now from the Sophos website, and will be incorporated into the May 2005 (3.93) release of Sophos Anti-Virus. Customers using EM Library, PureMessage or any of our Sophos small business solutions will be automatically protected at their next scheduled update. At the time of writing, Sophos has received a small number of reports of this worm from the wild. Information about W32/Stubbot-A can be found at: http://www.sophos.com/virusinfo/analyses/w32stubbota.html W32/Stubbot-A is a network worm with backdoor functionality for the Windows platform. W32/Stubbot-A can spread to remote network shares protected by weak passwords, computers that have a backdoor opened by the MyDoom worm on port 3127, P2P file-sharing networks and email. W32/Stubbot-A connects to a preconfigured IRC server and opens up a backdoor allowing unauthorised remote access to the infected computer via the IRC network. W32/Stubbot-A runs in the background waiting for commands from a remote intruder. The worm can be instructed to download and run files, log keypresses, start a web-server to aid distribution during spreading, download bot plugins, delete files, start a remote command shell, send itself to other IRC users and send itself as an email attachment. W32/Stubbot-A copies itself to the Windows folder as "stubbish.exe" and creates the text file "stbn.ick" for its own use. The worm creates the following registr entries in order to run automatically on computer logon: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Stubbish <Windows folder>\Stubbish.exe The worm can copy itself to the shared folders of the P2P networking programs eDonkey2000, Morpheus, Xolox, Kazaa, Shareaza and LimeWire with one of the following filenames: MSNPasswordStealer_Setup.exe MSNHack.exe AOL_Hack.exe AOL_Password_Stealer.exe mIRC 7.0 Beta.exe MSNBot_Setup.exe Winamp5.7Beta.exe MSN7Beta.exe Email attachments sent by the worm can have one of the following filenames: Test.exe Test.pif Details.pif Decrypt_mail.pif Message.pif Instructions-howtofix.txt.pif Confirm.exe.pif Protected.Storage.Encrytpde.XOR.34h.pif haha.pif Screensave.scr This IDE file also includes detection for: Troj/LegMir-JA http://www.sophos.com/virusinfo/analyses/trojlegmirja.html Troj/PowerSpi-B http://www.sophos.com/virusinfo/analyses/trojpowerspib.html W32/Rbot-ZL http://www.sophos.com/virusinfo/analyses/w32rbotzl.html Troj/Feutel-C http://www.sophos.com/virusinfo/analyses/trojfeutelc.html Dial/DialCar-H http://www.sophos.com/virusinfo/analyses/dialdialcarh.html Troj/Dloader-KT http://www.sophos.com/virusinfo/analyses/trojdloaderkt.html W32/Rbot-ZJ http://www.sophos.com/virusinfo/analyses/w32rbotzj.html Download the IDE file from: http://www.sophos.com/downloads/ide/stubbo-a.ide Download all the IDE files available for the current version of Sophos Anti-Virus in a single compressed file. The file is available in two formats: Zip file: http://www.sophos.com/downloads/ide/ides.zip Self-extracting file: http://www.sophos.com/downloads/ide/ides.exe Read about how to use IDE files at http://www.sophos.com/downloads/ide/using.html *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member