W32/Agobot-OQ is a member of the Agobot family of Windows network worms. The worm can spread to computers affected by the LSASS vulnerability (see Microsoft Security Bulletin MS04-011) and to weakly protected network shares.
In order to run automatically when Windows starts up the worm copies itself to the Windows system folder as winguard.exe and creates the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
WinGuard
winguard.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
WinGuard
winguard.exe
Once installed, W32/Agobot-OQ connects to a preconfigured IRC server and joins a channel from which an attacker can issue further commands. These commands can cause the infected machine to perform any of the following actions:
- Initiate distributed denial-of-service (DDOS) attacks
- Start a SOCKS4 proxy server
- Port scan for vulnerabilities on other remote computers
- Execute arbitrary commands
- Steal product keys
- Upload and download files
- Shut down and reboot the computer
- Attempt to disable any security programs running on the computer
- Alter the computer's HOSTS file so anti-virus websites are not available
When the HOSTS file (located in 'windows/system32/drivers/etc/hosts') is modified, entries are created for the major anti-virus software websites that redirect attempted access to those sites to the IP address 127.0.0.1.
The worm can be commanded to 'secure' and 'unsecure' an infected computer. Securing an infected computer involves deleting C$, D$, IPC$ and ADMIN$ network shares and disabling DCOM by setting the following registry entry:
HKLM\Software\Microsoft\OLE
EnableDCOM
N
To unsecure an infected computer C$, D$, E$, ADMIN$ and IPC$ network shares are added, and DCOM is enabled by setting the following registry entry:
HKLM\Software\Microsoft\OLE
EnableDCOM
Y
Sophos's anti-virus products include proactive protection technology, which can defend against new threats without requiring an update. Sophos customers have been protected against W32/Agobot-OQ (detected as W32/Agobot-Gen) since version 3.88.