high
Summary
Summary
Action- More Information
| Protection available since | 11 May 2004 11:15:46 (GMT) |
|---|---|
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Check your administrator passwords and review network security.
Change any data that may have become compromised.
Replace the Hosts file from a backup or edit it in Notepad to remove the changes that the worm has made.
You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
soundman = soundman.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
soundman = soundman.exe
and delete them if they exist.
Close the registry editor.
More Information
W32/Agobot-KH is a member of the W32/Agobot family of worms with a
backdoor component.
In order to run automatically when Windows starts up the worm copies itself to
the file soundman.exe in the Windows system folder and adds the following
registry entries pointing to this file:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
soundman = soundman.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
soundman = soundman.exe
The worm also registers itself as the service proces soundman.
W32/Agobot-KH spreads by scanning for machines infected with common backdoors such as Bagle, MyDoom or Optix-Pro or vulnerable to various vulnerabilities of services running on the Microsoft Windows operating system platform, such as DCOM/RPC, WebDAV, Universal PnP, Workstation Service or RPC Locator. The worm is also able to spread on weakly protected network
shares.
W32/Agobot-KH has extensive backdoor functionality that allows an attacker
to remotely control an infected computer via the IRC network. Among the functionality is the following:
the ability to log usernames and passwords transmitted over common
networking protocols such as FTP, HTTP, SSH or IRC,
download files via HTTP and FTP,
execute arbitrary commands,
get system information,
harvest email addresses and license keys for popular applications,
capture screenshots,
remove files,
create or remove registry entries,
shut down or reboot the computer,
kill processes,
upload files,
launch various denial-of-service attacks against a remote target,
open proxy relays for various networking protocols such as TCP, HTTP, HTTPS,
GRE or SOCKS.
As with other variants of the W32/Agobot family W32/Agobot-KH may attempt
to disable various monitoring and anti-virus related processes.
The worm also modifies the file drivers\etc\hosts in the Windows system folder
to prevent name resolution of Anti-Virus related websites
|
