W32/Agobot-JX is a backdoor Trojan and worm which spreads to computers
protected by weak passwords and to computers infected with variants of
W32/MyDoom.
When first run, W32/Agobot-JX moves itself to the Windows system folder as
wupdate.exe and creates the following registry entries to run itself on system
logon:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
napv.exe = wupdate.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
napv.exe = wupdate.exe
W32/Agobot-JX also sets itself up as a windows service, with the
service name "navp.exe".
The following vulnerabilities can also be exploited to aid propagation on unpatched systems and manipulate registry keys:
Remote Procedure Call (RPC) vulnerability.
Distributed Component Object Model (DCOM) vulnerability.
RPC Locator vulnerability.
IIS5/WEBDAV Buffer Overflow vulnerability.
For more information about these Windows vulnerabilities, please refer to the following Microsoft Web pages:
Microsoft Security Bulletin MS03-001
Microsoft Security Bulletin MS03-007
Microsoft Security Bulletin MS03-039.
W32/Agobot-JX will hide all files whose filenames begin with "sound".
Each time the Trojan is run it attempts to connect to a remote IRC server
and join a specific channel.
The Trojan then runs continuously in the background, allowing a remote
intruder to access and control the computer via IRC channels.
The Trojan attempts to terminate and disable various anti-virus and security-
related programs and modifies the HOSTS file located at
<WINDOWS>\System32\Drivers\etc\HOSTS, mapping selected anti-virus websites to the loopback address 127.0.0.1 in an attempt to prevent access to these sites.