W32/Agobot-TY is a worm and IRC backdoor Trojan for the Windows platform.
W32/Agobot-TY spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: LSASS (MS04-011), RPC-DCOM (MS04-012), WKS (MS03-049) (CAN-2003-0812), UPNP (MS01-059), Veritas (CAN-2004-1172), MSSQL (MS02-039) (CAN-2002-0649), PNP (MS05-039) and ASN.1 (MS04-007) and by copying itself to network shares protected by weak passwords.
W32/Agobot-TY runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
When first run W32/Agobot-TY copies itself to <System>\memreader.exe.
The following registry entries are created to run memreader.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
memreader.exe
memreader.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
memreader.exe
memreader.exe
Registry entries are set as follows:
HKCU\Software\Microsoft\OLE
memreader.exe
memreader.exe
HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1
W32/Agobot-TY includes functionality to:
- overwrite the HOSTS file
- access the internet and communicate with a remote server via HTTP
- steal information
- carry out DDoS attacks
- terminates anti-virus and security related processes
W32/Agobot-TY may append the HOSTS file with the following mappings:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com
The following patches for the operating system vulnerabilities exploited by W32/Agobot-TY can be obtained from the Microsoft website:
<a href=
"http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx"
target="_blank">MS04-011</a>
<a href=
"http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx"
target="_blank">MS04-012</a>
<a href=
"http://www.microsoft.com/technet/security/bulletin/MS03-049.mspx"
target="_blank">MS03-049</a>
<a href=
"http://www.microsoft.com/technet/security/bulletin/MS01-059.mspx"
target="_blank">MS01-059</a>
<a href=
"http://www.microsoft.com/technet/security/bulletin/MS02-039.mspx"
target="_blank">MS02-039</a>
<a href=
"http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx"
target="_blank">MS05-039</a>
<a href=
"http://www.microsoft.com/technet/security/bulletin/MS04-007.mspx"
target="_blank">MS04-007</a>