W32/Agobot-LM

Please follow the instructions for removing worms.

You will also need to edit the following registry entries, if present. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
lsas = lsas.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
lsas = lsas.exe

and delete them if they exist.

Close the registry editor.

• Replace the Hosts file from a backup or edit it in Notepad to remove the changes that the Trojan has made.
• Check your administrator passwords and review network security.

W32/Agobot-LM is an IRC backdoor Trojan and network worm which establishes an IRC channel to a remote server in order to grant an intruder access to the compromised computer.

This worm will move itself into the Windows System folder under the filename LSAS.EXE and may create the following registry entries so that it can run automatically on Windows login:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
lsas = lsas.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
lsas = lsas.exe

On NT-based version of Windows the worm creates a new service named "lsas" with the startup property set to automatic, so that the service starts automatically each time Windows is started.

W32/Agobot-LM may attempt to terminate anti-virus and other security-related
processes and services, in addition to other viruses, worms or Trojans.

A text file named HOSTS in \drivers\etc\ may be created or overwritten with a list of anti-virus and other security-related websites, each bound to the IP loopback address of 127.0.0.1 which would effectively prevent access to these sites.

For example:

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com

W32/Agobot-LM can also be used to initiate denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks against remote computers.

This worm can steal the Windows Product ID and keys from several computer
applications or games.

When memory-resident W32/Agobot-LM will hide files starting with the word 'Sound' from the user. Once the worm is no longer in memory the user will be able to see and search for the files again.