W32/Agobot-AAW

Aliases	W32/Gaobot.worm.gen.t
Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


How it spreads	Network shares
Affected operating systems	Windows
Protection available since	13 December 2004 14:22:12 (GMT)
Detected by	All Sophos products

Free virus scan
Download the Threat Detection Test

Free virus, spyware, and adware scan
Test your existing anti-virus protection
Find threats your anti-virus missed

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

Replace the Hosts file from a backup or edit it in Notepad to remove the changes that the worm has made.

You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
VirOsvc
vmsvc32.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
VirOsvc
vmsvc32.exe

and delete them if they exist.

Close the registry editor.

More Information

Summary
Action
More Information

W32/Agobot-AAW is a network worm with a backdoor Trojan component.

W32/Agobot-AAW is capable of spreading to computers on the local network protected by weak passwords after receiving the appropriate backdoor command.

W32/Agobot-AAW can also spread by exploiting the DCOM (MS04-012) vulnerability.

When first run, W32/Agobot-AAW copies itself to the Windows system folder as VMSVC32.EXE and runs this copy of the worm. The copy will then attempt to delete the original file. In order to run each time a user logs on, W32/Agobot-AAW will set the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
VirOsvc
vmsvc32.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
VirOsvc
vmsvc32.exe

The worm runs continuously in the background providing backdoor access to the computer.

W32/Agobot-AAW will append the HOSTS file in the <SYSTEM>\drivers\etc folder. The file contains a list of websites each bound to the IP loopback address. This prevents access to a list of anti-virus and security related websites. For example,

127.0.0.1 sophos.com
127.0.0.1 www.sophos.com

W32/Agobot-AAW is capable of testing the available bandwidth by attempting to GET or POST data to the following websites:

yahoo.co.jp
www.nifty.com
www.d1asia.com
www.st.lib.keio.ac.jp
www.lib.nthu.edu.tw
www.above.net
www.level3.com
nitro.ucsc.edu
www.burst.net
www.cogentco.com
www.rit.edu
www.nocster.com
www.verio.com
www.stanford.edu
www.xo.net
de.yahoo.com
www.belwue.de
www.switch.ch
www.1und1.de
verio.fr
www.utwente.nl
www.schlund.net

The backdoor component of W32/Agobot-AAW may be used to:

Initiate Denial of Service (DOS) attacks.
Redirect GRE, TCP, HTTP, HTTPS, SOCKS4 and SOCKS5 traffic.
Download, upload, delete and execute files.
Set up an FTP file server.
Steal passwords (including PayPal account information).
List and kill processes.
Stop, start, pause and delete services.
Modify the registry.
Open and close vulnerabilities.
Port scan for vulnerabilities on other remote computers.
Flush the DNS cache.
Log keyboard presses.
Shut down and reboot the computer.
Add and delete network shares, groups and users.
Sniff network traffic for passwords.

W32/Agobot-AAW may alter the following registry entry in order to enable/disable DCOM:

HKLM\Software\Microsoft\Ole\EnableDCOM

W32/Agobot-AAW is capable of adding and deleting the C$, D$, E$, IPC$ and ADMIN$
network shares.

W32/Agobot-AAW may steal the Windows Product ID and keys from several computer
applications or games including:

AOL Instant Messenger
Battlefield 1942
Battlefield 1942: Secret Weapons of WWII
Battlefield 1942: The Road To Rome
Battlefield 1942: Vietnam
Black and White
Call of Duty
Command and Conquer: Generals
Command and Conquer: Generals: Zero Hour
Command and Conquer: Red Alert 2
Command and Conquer: Tiberian Sun
Counter-Strike
FIFA 2002
FIFA 2003
Freedom Force
Global Operations
Gunman Chronicles
Half-Life
Hidden and Dangerous 2
IGI2: Covert Strike
Industry Giant 2
James Bond 007: Nightfire
Medal of Honor: Allied Assault
Medal of Honor: Allied Assault: Breakthrough
Medal of Honor: Allied Assault: Spearhead
Nascar Racing 2002
Nascar Racing 2003
Need For Speed: Hot Pursuit 2
Need For Speed: Underground
Neverwinter Nights
NHL 2002
NHL 2003
Rainbow Six III RavenShield
Shogun: Total War: Warlord Edition
Soldiers Of Anarchy
Soldier Of Fortune 2 - Double Helix
The Gladiators
Unreal Tournament 2003
Unreal Tournament 2004

W32/Agobot-AAW will attempt to terminate a number of anti-virus and security related processes in addition to other viruses, worms and Trojans.

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Agobot-AAW

Summary

Action

More Information