This message was from KURT WISMER to ALL
and was forwarded to you by DARYL STOUT
                    ---------------------------------------- [cut-n-paste
from sophos.com]

Troj/Sdbot-FM

Aliases
Backdoor.SdBot.gen, BKDR_Sdbot.Gen

Type
Trojan

Detection
At the time of writing, Sophos has received just one report of this Trojan
from the wild.

Description
Troj/Sdbot-FM is a backdoor Trojan which runs in the background as a
service process and allows unauthorised remote access to the computer via
IRC channels.

The Trojan copies itself to the Windows system folder as svch0st.exe and
creates entries in the registry at the following locations to run itself on
system restart:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

The Trojan remains resident, listening for commands from remote users. If
it receives the appropriate command the Trojan attempts to drop and execute
a batch file detected as Bat/Botsecure-A in order to change the user's
security settings.





W32/Agobot-CP

Aliases
Backdoor.Agobot.3.gen

Type
Win32 worm

Detection
At the time of writing, Sophos has received just one report of this worm
from the wild.

Description
W32/Agobot-CP is an IRC backdoor Trojan and network worm.

W32/Agobot-CP copies itself to network shares with weak passwords and
attempts to spread to computers using the DCOM RPC and the RPC locator
vulnerabilities.

These vulnerabilities allow the worm to execute its code on target
computers with System level priviledges. For further information on these
vulnerabilities and for details on how to protect/patch the computer
against such attacks please see Microsoft security bulletins MS03-001 and
MS03-026. MS03-026 has been superseded by Microsoft security bulletin
MS03-039.

When first run, W32/Agobot-CP copies itself to the Windows system32 folder
with the filename winpn32.exe and creates the following registry entries so
that the worm is run when Windows starts up:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinPN32 = winpn32.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\WinPN32 = winpn32.exe

W32/Agobot-CP connects to a remote IRC server and joins a specific channel.
The backdoor functionality of the worm can then be accessed by an attacker
using the IRC network.

The worm also attempts to terminate and disable various security-related programs.





W32/Mimail-T

Aliases
W32/Mimail.gen{at}MM

Type
Win32 worm

Detection

(Continued to next message)
---
 * OLX 1.53 * Thesaurus: ancient reptile with an excellent vocabulary.
 * PDQWK 2.52 #5


--- GTMail 1.26