W32/Agobot-OM is a member of the Agobot family of Windows network worms. The worm can spread to computers affected by the LSASS vulnerability (see Microsoft Security Bulletin MS04-011) and to weakly protected network shares.
In order to run automatically when Windows starts up the worm copies itself to the Windows system folder as msngf.exe and creates the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Fen Startups
fensvc32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Fen Startups
fensvc32.exe
Once installed, W32/Agobot-OM connects to a preconfigured IRC server and joins a channel from which an attacker can issue further commands. These commands can cause the infected machine to perform any of the following actions:
Initiate distributed denial-of-service (DDOS) attacks
Flood a remote host (by either ping or HTTP)
Start a SOCKS4 proxy server
Port scan for vulnerabilities on other remote computers
Execute arbitrary commands
Steal product keys
Upload and download files
Shut down and reboot the computer
Log any keystrokes made on the infected computer
Stop a runnning service
Attempt to disable any security programs running on the computer
Flush the DNS cache
The worm can be commanded to 'secure' and 'unsecure' an infected computer. Securing an infected computer involves deleting any network shares and disabling DCOM by setting the following registry entry:
HKLM\Software\Microsoft\OLE
EnableDCOM
N
To unsecure an infected computer C$, D$, E$, ADMIN$ and IPC$ network shares are added, and DCOM is enabled by setting the following registry entry:
HKLM\Software\Microsoft\OLE
EnableDCOM
Y