W32/Agobot-AAF

Please follow the instructions for removing worms.

Change any data that may have become compromised.

Replace the Hosts file from a backup or edit it in Notepad to remove the changes that the worm has made.

You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

and remove any reference to any file you deleted.

Close the registry editor.

W32/Agobot-AAF is a network worm with IRC backdoor functionality.

W32/Agobot-AAF connects to a preconfigured IRC server, joins a channel and awaits further instructions. These instructions can cause the bot to perform any of the following actions:

start a UDP, TCP, ICMP, syn, http or ping flood
start a socks4, socks5, http or https proxy server
redirect TCP or GRE connections
start an FTP server
start a command shell server
show statistics about the infected system
reboot/shutdown the infected machine
kill anti-virus and security processes
list/terminate running processes
scan randomly- or sequentially-chosen IPs for infectable machines
make local drives network-shareable
close down vulnerable services in order to secure the machine
search for product keys
search local drives for AOL user details
sniff network traffic in order to find passwords
start a keylogger
download and install an updated version of itself
install bot plugins for additional functionality

The worm spreads to machines affected by known vulnerabilities, running network services protected by weak passwords or infected by common backdoor Trojans.

Vulnerabilities:

Universal PNP (MS01-059)
WebDav (MS03-007)
RPC DCOM (MS03-026, MS04-012)
WorKStation service (MS03-049)
LSASS (MS04-011)
DameWare (CAN-2003-1030)

Services:

NetBios
MS SQL

Backdoors:

W32/Bagle
W32/MyDoom
Troj/Optix
W32/Sasser

W32/Agobot-AAF deletes any files or folders containing the word "sound".

W32/Agobot-AAF copies itself to the Windows system folder with the filename thmbplusXX.exe where XX is a combination of random digit and character,

W32/Agobot-AAF creates the following registry entries to run itself automatically on computer login:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Thumbs Plus X.X
"thmbplusXX.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Thumbs Plus X.X
"thmbplusXX.exe"

where X.X corresponds to the XX mentioned above.

The worm writes the following entries to the Windows hosts file, blocking internet access to these sites:

www.trendmicro.com
trendmicro.com
rads.mcafee.com
customer.symantec.com
liveupdate.symantec.com
us.mcafee.com
updates.symantec.com
update.symantec.com
www.nai.com
nai.com
secure.nai.com
dispatch.mcafee.com
download.mcafee.com
www.my-etrust.com
my-etrust.com
mast.mcafee.com
ca.com
www.ca.com
networkassociates.com
www.networkassociates.com
avp.com
www.kaspersky.com
www.avp.com
kaspersky.com
www.f-secure.com
f-secure.com
viruslist.com
www.viruslist.com
liveupdate.symantecliveupdate.com
mcafee.com
www.mcafee.com
sophos.com
www.sophos.com
symantec.com
securityresponse.symantec.com
www.symantec.com
www.symantec.com

W32/Agobot-QZ terminates a number of processes related to the following AV and security applications:

'_AVP32.EXE'
'_AVPCC.EXE'
'_AVPM.EXE'
'ACKWIN32.EXE'
'ADAWARE.EXE'
'ADVXDWIN.EXE'
'AGENTSVR.EXE'
'AGENTW.EXE'
'ALERTSVC.EXE'
'ALEVIR.EXE'
'ALOGSERV.EXE'
'AMON9X.EXE'
'ANTI-TROJAN.EXE'
'ANTIVIRUS.EXE'
'ANTS.EXE'
'APIMONITOR.EXE'
'APLICA32.EXE'
'APVXDWIN.EXE'
'ARR.EXE'
'ATCON.EXE'
'ATGUARD.EXE'
'ATRO55EN.EXE'
'ATUPDATER.EXE'
'ATWATCH.EXE'
'AU.EXE'
'AUPDATE.EXE'
'AUTO-PROTECT.NAV80TRY.EXE'
'AUTODOWN.EXE'
'AUTOTRACE.EXE'
'AUTOUPDATE.EXE'
'AVCONSOL.EXE'
'AVE32.EXE'
'AVGCC32.EXE'
'AVGCTRL.EXE'
'AVGNT.EXE'
'AVGSERV.EXE'
'AVGSERV9.EXE'
'AVGUARD.EXE'
'AVGW.EXE'
'AVKPOP.EXE'
'AVKSERV.EXE'
'AVKSERVICE.EXE'
'AVKWCTl9.EXE'
'AVLTMAIN.EXE'
'AVNT.EXE'
'AVP.EXE'
'AVP32.EXE'
'AVPCC.EXE'
'AVPDOS32.EXE'
'AVPM.EXE'
'AVPTC32.EXE'
'AVPUPD.EXE'
'AVSCHED32.EXE'
'AVSYNMGR.EXE'
'AVWIN95.EXE'
'AVWINNT.EXE'
'AVWUPD.EXE'
'AVWUPD32.EXE'
'AVWUPSRV.EXE'
'AVXMONITOR9X.EXE'
'AVXMONITORNT.EXE'
'AVXQUAR.EXE'
'BACKWEB.EXE'
'BARGAINS.EXE'
'BD_PROFESSIONAL.EXE'
'BEAGLE.EXE'
'BELT.EXE'
'BIDEF.EXE'
'BIDSERVER.EXE'
'BIPCP.EXE'
'BIPCPEVALSETUP.EXE'
'BISP.EXE'
'BLACKD.EXE'
'BLACKICE.EXE'
'BLSS.EXE'
'BOOTCONF.EXE'
'BOOTWARN.EXE'
'BORG2.EXE'
'BPC.EXE'
'BRASIL.EXE'
'BS120.EXE'
'BUNDLE.EXE'
'BVT.EXE'
'CCAPP.EXE'
'CCEVTMGR.EXE'
'CCPXYSVC.EXE'
'CDP.EXE'
'CFD.EXE'
'CFGWIZ.EXE'
'CFIADMIN.EXE'
'CFIAUDIT.EXE'
'CFINET.EXE'
'CFINET32.EXE'
'Claw95.EXE'
'CLAW95CF.EXE'
'CLEAN.EXE'
'CLEANER.EXE'
'CLEANER3.EXE'
'CLEANPC.EXE'
'CLICK.EXE'
'CMD32.EXE'
'CMESYS.EXE'
'CMGRDIAN.EXE'
'CMON016.EXE'
'CONNECTIONMONITOR.EXE'
'CPD.EXE'
'CPF9X206.EXE'
'CPFNT206.EXE'
'CTRL.EXE'
'CV.EXE'
'CWNB181.EXE'
'CWNTDWMO.EXE'
'DATEMANAGER.EXE'
'DCOMX.EXE'
'DEFALERT.EXE'
'DEFSCANGUI.EXE'
'DEFWATCH.EXE'
'DEPUTY.EXE'
'DIVX.EXE'
'DLLCACHE.EXE'
'DLLREG.EXE'
'DOORS.EXE'
'DPF.EXE'
'DPFSETUP.EXE'
'DPPS2.EXE'
'DRWATSON.EXE'
'DRWEB32.EXE'
'DRWEBUPW.EXE'
'DSSAGENT.EXE'
'DVP95.EXE'
'DVP95_0.EXE'
'ECENGINE.EXE'
'EFPEADM.EXE'
'EMSW.EXE'
'ENT.EXE'
'ESAFE.EXE'
'ESCANH95.EXE'
'ESCANHNT.EXE'
'ESCANV95.EXE'
'ESPWATCH.EXE'
'ETHEREAL.EXE'
'ETRUSTCIPE.EXE'
'EVPN.EXE'
'EXANTIVIRUS-CNET.EXE'
'EXE.AVXW.EXE'
'EXPERT.EXE'
'EXPLORE.EXE'
'F-AGNT95.EXE'
'F-AGOBOT.EXE'
'F-PROT.EXE'
'F-PROT95.EXE'
'F-STOPW.EXE'
'FAMEH32.EXE'
'FAST.EXE'
'FCH32.EXE'
'FIH32.EXE'
'FINDVIRU.EXE'
'FIREWALL.EXE'
'FLOWPROTECTOR.EXE'
'FNRB32.EXE'
'FP-WIN.EXE'
'FP-WIN_TRIAL.EXE'
'FPROT.EXE'
'FRW.EXE'
'FSAA.EXE'
'FSAV.EXE'
'FSAV32.EXE'
'FSAV530STBYB.EXE'
'FSAV530WTBYB.EXE'
'FSAV95.EXE'
'FSGK32.EXE'
'FSM32.EXE'
'FSMA32.EXE'
'FSMB32.EXE'
'GATOR.EXE'
'GBMENU.EXE'
'GBPOLL.EXE'
'GENERICS.EXE'
'GMT.EXE'
'GUARD.EXE'
'GUARDDOG.EXE'
'HACKTRACERSETUP.EXE'
'HBINST.EXE'
'HBSRV.EXE'
'HIJACKTHIS.EXE'
'HOTACTIO.EXE'
'HOTPATCH.EXE'
'HTLOG.EXE'
'HTPATCH.EXE'
'HWPE.EXE'
'HXDL.EXE'
'HXIUL.EXE'
'IAMAPP.EXE'
'IAMSERV.EXE'
'IAMSTATS.EXE'
'IBMASN.EXE'
'IBMAVSP.EXE'
'ICLOAD95.EXE'
'ICLOADNT.EXE'
'ICMON.EXE'
'ICSUPP95.EXE'
'ICSUPPNT.EXE'
'IDLE.EXE'
'IEDLL.EXE'
'IEDRIVER.EXE'
'IEXPLORER.EXE'
'IFACE.EXE'
'IFW2000.EXE'
'INETLNFO.EXE'
'INFUS.EXE'
'INFWIN.EXE'
'INIT.EXE'
'INTDEL.EXE'
'INTREN.EXE'
'IOMON98.EXE'
'IPARMOR.EXE'
'IRIS.EXE'
'ISASS.EXE'
'ISRV95.EXE'
'ISTSVC.EXE'
'JAMMER.EXE'
'JDBGMRG.EXE'
'JEDI.EXE'
'KAVLITE40ENG.EXE'
'KAVPERS40ENG.EXE'
'KAVPF.EXE'
'KAZZA.EXE'
'KEENVALUE.EXE'
'KERIO-PF-213-EN-WIN.EXE'
'KERIO-WRL-421-EN-WIN.EXE'
'KERIO-WRP-421-EN-WIN.EXE'
'KERNEL32.EXE'
'KILLPROCESSSETUP161.EXE'
'LAUNCHER.EXE'
'LDNETMON.EXE'
'LDPRO.EXE'
'LDPROMENU.EXE'
'LDSCAN.EXE'
'LNETINFO.EXE'
'LOADER.EXE'
'LOCALNET.EXE'
'LOCKDOWN.EXE'
'LOCKDOWN2000.EXE'
'LOOKOUT.EXE'
'LORDPE.EXE'
'LSETUP.EXE'
'LUALL.EXE'
'LUAU.EXE'
'LUCOMSERVER.EXE'
'LUINIT.EXE'
'LUSPT.EXE'
'MAPISVC32.EXE'
'MCAGENT.EXE'
'MCMNHDLR.EXE'
'MCSHIELD.EXE'
'MCTOOL.EXE'
'MCUPDATE.EXE'
'MCVSRTE.EXE'
'MCVSSHLD.EXE'
'MD.EXE'
'MFIN32.EXE'
'MFW2EN.EXE'
'MFWENG3.02D30.EXE'
'MGAVRTCL.EXE'
'MGAVRTE.EXE'
'MGHTML.EXE'
'MGUI.EXE'
'MINILOG.EXE'
'MMOD.EXE'
'MONITOR.EXE'
'MOOLIVE.EXE'
'MOSTAT.EXE'
'MPFAGENT.EXE'
'MPFSERVICE.EXE'
'MPFTRAY.EXE'
'MRFLUX.EXE'
'MSAPP.EXE'
'MSBB.EXE'
'MSBLAST.EXE'
'MSCACHE.EXE'
'MSCCN32.EXE'
'MSCMAN.EXE'
'MSCONFIG.EXE'
'MSDM.EXE'
'MSDOS.EXE'
'MSIEXEC16.EXE'
'MSINFO32.EXE'
'MSLAUGH.EXE'
'MSMGT.EXE'
'MSMSGRI32.EXE'
'MSSMMC32.EXE'
'MSSYS.EXE'
'MSVXD.EXE'
'MU0311AD.EXE'
'MWATCH.EXE'
'N32SCANW.EXE'
'NAV.EXE'
'NAVAP.NAVAPSVC.EXE'
'NAVAPSVC.EXE'
'NAVAPW32.EXE'
'NAVDX.EXE'
'NAVENGNAVEX15.NAVLU32.EXE'
'NAVLU32.EXE'
'NAVNT.EXE'
'NAVSTUB.EXE'
'NAVW32.EXE'
'NAVWNT.EXE'
'NCINST4.EXE'
'NDD32.EXE'
'NEOMONITOR.EXE'
'NEOWATCHLOG.EXE'
'NETARMOR.EXE'
'NETD32.EXE'
'NETINFO.EXE'
'NETMON.EXE'
'NETSCANPRO.EXE'
'NETSPYHUNTER-1.2.EXE'
'NETSTAT.EXE'
'NETUTILS.EXE'
'NISSERV.EXE'
'NISUM.EXE'
'NMAIN.EXE'
'NOD32.EXE'
'NORMIST.EXE'
'NORTON_INTERNET_SECU_3.0_407.EXE'
'NOTSTART.EXE'
'NPF40_TW_98_NT_ME_2K.EXE'
'NPFMESSENGER.EXE'
'NPROTECT.EXE'
'NPSCHECK.EXE'
'NPSSVC.EXE'
'NSCHED32.EXE'
'NSSYS32.EXE'
'NSTASK32.EXE'
'NSUPDATE.EXE'
'NT.EXE'
'NTRTSCAN.EXE'
'NTVDM.EXE'
'NTXconfig.EXE'
'NUI.EXE'
'NUPGRADE.EXE'
'NVARCH16.EXE'
'NVC95.EXE'
'NVSVC32.EXE'
'NWINST4.EXE'
'NWSERVICE.EXE'
'NWTOOL16.EXE'
'OLLYDBG.EXE'
'ONSRVR.EXE'
'OPTIMIZE.EXE'
'OSTRONET.EXE'
'OTFIX.EXE'
'OUTPOST.EXE'
'OUTPOSTINSTALL.EXE'
'OUTPOSTPROINSTALL.EXE'
'PADMIN.EXE'
'PANIXK.EXE'
'PATCH.EXE'
'PAVCL.EXE'
'PAVPROXY.EXE'
'PAVSCHED.EXE'
'PAVW.EXE'
'PCCIOMON.EXE'
'PCCNTMON.EXE'
'PCCWIN97.EXE'
'PCCWIN98.EXE'
'PCDSETUP.EXE'
'PCFWALLICON.EXE'
'PCSCAN.EXE'
'PDSETUP.EXE'
'PENIS.EXE'
'PERISCOPE.EXE'
'PERSFW.EXE'
'PERSWF.EXE'
'PF2.EXE'
'PFWADMIN.EXE'
'PGMONITR.EXE'
'PINGSCAN.EXE'
'PLATIN.EXE'
'POP3TRAP.EXE'
'POPROXY.EXE'
'POPSCAN.EXE'
'PORTDETECTIVE.EXE'
'PORTMONITOR.EXE'
'POWERSCAN.EXE'
'PPINUPDT.EXE'
'PPTBC.EXE'
'PPVSTOP.EXE'
'PRIZESURFER.EXE'
'PRMT.EXE'
'PRMVR.EXE'
'PROCDUMP.EXE'
'PROCESSMONITOR.EXE'
'PROCEXPLORERV1.0.EXE'
'PROGRAMAUDITOR.EXE'
'PROPORT.EXE'
'PROTECTX.EXE'
'PSPF.EXE'
'PURGE.EXE'
'PUSSY.EXE'
'PVIEW95.EXE'
'QCONSOLE.EXE'
'QSERVER.EXE'
'RAPAPP.EXE'
'RAV7.EXE'
'RAV7WIN.EXE'
'RAV8WIN32ENG.EXE'
'RAY.EXE'
'RB32.EXE'
'RCSYNC.EXE'
'REALMON.EXE'
'REGED.EXE'
'REGEDIT.EXE'
'REGEDT32.EXE'
'RESCUE.EXE'
'RESCUE32.EXE'
'RRGUARD.EXE'
'RSHELL.EXE'
'RTVSCAN.EXE'
'RTVSCN95.EXE'
'RULAUNCH.EXE'
'RUN32DLL.EXE'
'RUNDLL.EXE'
'RUNDLL16.EXE'
'RUXDLL32.EXE'
'SAFEWEB.EXE'
'SAHAGENT.EXE'
'SAVE.EXE'
'SAVENOW.EXE'
'SBSERV.EXE'
'SC.EXE'
'SCAM32.EXE'
'SCAN32.EXE'
'SCAN95.EXE'
'SCANPM.EXE'
'SCRSCAN.EXE'
'SCRSVR.EXE'
'SCVHOST.EXE'
'SD.EXE'
'SERV95.EXE'
'SERVICE.EXE'
'SERVLCE.EXE'
'SERVLCES.EXE'
'SETUP_FLOWPROTECTOR_US.EXE'
'SETUPVAMEEVAL.EXE'
'SFC.EXE'
'SGSSFW32.EXE'
'SH.EXE'
'SHELLSPYINSTALL.EXE'
'SHN.EXE'
'SHOWBEHIND.EXE'
'SMC.EXE'
'SMS.EXE'
'SMSS32.EXE'
'SOAP.EXE'
'SOFI.EXE'
'SPERM.EXE'
'SPF.EXE'
'SPHINX.EXE'
'SPOLER.EXE'
'SPOOLCV.EXE'
'SPOOLSV32.EXE'
'SPYXX.EXE'
'SREXE.EXE'
'SRNG.EXE'
'SS3EDIT.EXE'
'SSGRATE.EXE'
'ST2.EXE'
'START.EXE'
'STCLOADER.EXE'
'SUPFTRL.EXE'
'SUPPORT.EXE'
'SUPPORTER5.EXE'
'SVC.EXE'
'SVCHOSTC.EXE'
'SVCHOSTS.EXE'
'SVSHOST.EXE'
'SWEEP95.EXE'
'SWEEPNET.SWEEPSRV.SYS.SWNETSUP.EXE'
'SYMPROXYSVC.EXE'
'SYMTRAY.EXE'
'SYSEDIT.EXE'
'SYSTEM.EXE'
'SYSTEM32.EXE'
'SYSUPD.EXE'
'TASKMG.EXE'
'TASKMO.EXE'
'TASKMON.EXE'
'TAUMON.EXE'
'TBSCAN.EXE'
'TC.EXE'
'TCA.EXE'
'TCM.EXE'
'TDS-3.EXE'
'TDS2-98.EXE'
'TDS2-NT.EXE'
'TEEKIDS.EXE'
'TFAK.EXE'
'TFAK5.EXE'
'TGBOB.EXE'
'TITANIN.EXE'
'TITANINXP.EXE'
'TRACERT.EXE'
'TRICKLER.EXE'
'TRJSCAN.EXE'
'TRJSETUP.EXE'
'TROJANTRAP3.EXE'
'TSADBOT.EXE'
'TVMD.EXE'
'TVTMD.EXE'
'UNDOBOOT.EXE'
'UPDAT.EXE'
'UPDATE.EXE'
'UPGRAD.EXE'
'UTPOST.EXE'
'VBCMSERV.EXE'
'VBCONS.EXE'
'VBUST.EXE'
'VBWIN9X.EXE'
'VBWINNTW.EXE'
'VCSETUP.EXE'
'VET32.EXE'
'VET95.EXE'
'VETTRAY.EXE'
'VFSETUP.EXE'
'VIR-HELP.EXE'
'VIRUSMDPERSONALFIREWALL.EXE'
'VNLAN300.EXE'
'VNPC3000.EXE'
'VPC32.EXE'
'VPC42.EXE'
'VPFW30S.EXE'
'VPTRAY.EXE'
'VSCAN40.EXE'
'VSCENU6.02D30.EXE'
'VSCHED.EXE'
'VSECOMR.EXE'
'VSHWIN32.EXE'
'VSISETUP.EXE'
'VSMAIN.EXE'
'VSMON.EXE'
'VSSTAT.EXE'
'VSWIN9XE.EXE'
'VSWINNTSE.EXE'
'VSWINPERSE.EXE'
'W32DSM89.EXE'
'W9X.EXE'
'WATCHDOG.EXE'
'WEBDAV.EXE'
'WEBSCANX.EXE'
'WEBTRAP.EXE'
'WFINDV32.EXE'
'WGFE95.EXE'
'WHOSWATCHINGME.EXE'
'WIMMUN32.EXE'
'WIN-BUGSFIX.EXE'
'WIN32.EXE'
'WIN32US.EXE'
'WINACTIVE.EXE'
'WINDOW.EXE'
'WINDOWS.EXE'
'WININETD.EXE'
'WININIT.EXE'
'WININITX.EXE'
'WINLOGIN.EXE'
'WINMAIN.EXE'
'WINNET.EXE'
'WINPPR32.EXE'
'WINRECON.EXE'
'WINSERVN.EXE'
'WINSSK32.EXE'
'WINSTART.EXE'
'WINSTART001.EXE'
'WINTSK32.EXE'
'WINUPDATE.EXE'
'WKUFIND.EXE'
'WNAD.EXE'
'WNT.EXE'
'WRADMIN.EXE'
'WRCTRL.EXE'
'WSBGATE.EXE'
'WUPDATER.EXE'
'WUPDT.EXE'
'WYVERNWORKSFIREWALL.EXE'
'XPF202EN.EXE'
'ZAPRO.EXE'
'ZAPSETUP3001.EXE'
'ZATUTOR.EXE'
'ZONALM2601.EXE'
'ZONEALARM.EXE'