W32/Agobot-SL is a network worm with IRC backdoor functionality.
W32/Agobot-SL connects to a preconfigured IRC server, joins a channel and awaits further instructions. These instructions can cause the bot to perform any of the following actions:
start a UDP, TCP, ICMP, syn, http or ping flood
start a socks4, socks5, http or https proxy server
redirect TCP or GRE connections
start an FTP server
start a command shell server
show statistics about the infected system
reboot/shutdown the infected computer
kill anti-virus and security processes
list/terminate running processes
scan randomly- or sequentially-chosen IPs for infectable computers
make local drives network-shareable
close down vulnerable services in order to secure the computer
search for product keys
search local drives for AOL user details
sniff network traffic in order to find passwords
start a keylogger
download and install an updated version of itself
install bot plugins for additional functionality
The worm spreads to computers affected by known vulnerabilities and running network services protected by weak passwords.
Vulnerabilities:
RPC DCOM (MS03-026, MS04-012)
MSSQL (MS02-039)
Services:
NetBios
W32/Agobot-SL copies itself to the Windows system folder as atapidrv.exe and creates the following registry entries to run itself automatically on computer login:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
atapidrv
atapidrv.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
atapidrv
atapidrv.exe
The worm blocks access to security-related websites by adding the following entries to the Windows hosts file:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
W32/Agobot-SL also terminates Anti-Virus and security related applications.
The following patches for the operating system vulnerabilities exploited by W32/Agobot-SL can be obtained from the Microsoft website:
<a href=
"http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx"
target="_blank">RPC-DCOM (MS04-012) security vulnerability</a>
<a href=
"http://www.microsoft.com/technet/security/bulletin/MS02-039.mspx"
target="_blank">MSSQL (MS02-039) security vulnerability</a>