W32/Rbot-AGU

Category: Viruses and Spyware
Type: Win32 worm
Prevalence: No Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Rbot-AGU is a worm with backdoor functionality for the Windows platform.

W32/Rbot-AGU spreads:

to other network computers infected with: Troj/Kuang, Troj/Sub7, W32/Sasser, Troj/NetDevil, W32/MyDoom, W32/Bagle and Troj/Optix

to other network computers by exploiting common buffer overflow vulnerabilites, including: LSASS (MS04-011), RPC-DCOM (MS04-012), WebDav (MS03-007), MSSQL (MS02-039) (CAN-2002-0649) and Dameware (CAN-2003-1030)

by copying itself to network shares protected by weak passwords

W32/Rbot-AGU runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

When first run W32/Rbot-AGU copies itself to <Windows system folder>\mhguard.exe.

The following registry entries are created to run mhguard.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
System Guard
mhguard.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
System Guard
mhguard.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
System Guard
mhguard.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
System Guard
mhguard.exe

Registry entries are set as follows:

HKCU\SYSTEM\CurrentControlSet\Control\Lsa
System Guard
mhguard.exe

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
System Guard
mhguard.exe

HKCU\Software\Microsoft\OLE
System Guard
mhguard.exe

HKLM\SOFTWARE\Microsoft\Ole
System Guard
mhguard.exe

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1

W32/Rbot-AGU modifies the HOSTS file, changing the URL-to-IP mappings for selected websites, therefore preventing normal access to these sites. The new HOSTS file will typically contain the following:

127.0.0.1 avp.com
127.0.0.1 ca.com
127.0.0.1 customer.symantec.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 f-secure.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 kaspersky.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 mast.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 nai.com
127.0.0.1 networkassociates.com
127.0.0.1 rads.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 sophos.com
127.0.0.1 symantec.com
127.0.0.1 trendmicro.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 www.avp.com
127.0.0.1 www.ca.com
127.0.0.1 www.f-secure.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.mcafee.com
127.0.0.1 www.my-etrust.com
127.0.0.1 www.nai.com
127.0.0.1 www.networkassociates.com
127.0.0.1 www.sophos.com
127.0.0.1 www.symantec.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.viruslist.com

The following patches for the operating system vulnerabilities exploited by W32/Rbot-AGU can be obtained from the Microsoft website:

MS04-011
MS04-012
MS03-049
MS03-007
MS02-039

download Try Sophos products for free
Download now

© 1997 - 2012 Sophos Ltd. All rights reserved. Legal Privacy