high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Protection available since | 13 October 2004 11:10:11 (GMT) |
| Detected by | All Sophos products |
Sophos beta program
- Endpoint Security and Control 9.0
- Small business solutions 4.0
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Agobot-NF is an IRC backdoor Trojan and network worm.
W32/Agobot-NF spreads to network shares with weak passwords and via network security vulnerabilities including the RPC-DCOM (MS04-012), WebDav (MS03-007), DameWare (CAN-2003-1030) and Workstation service (MS03-049) vulnerabilities.
When first run W32/Agobot-NF copies itself to the Windows system folder as unninst32.exe and creates the following registry entries to ensure it is run at system logon:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
svwin32 = unninst32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
svwin32 = unninst32.exe
Each time W32/Agobot-NF is run it attempts to connect to a remote IRC server and join a specific channel. The worm then runs in the background allowing a remote intruder to
issue commands which control the computer via IRC channels.
W32/Agobot-NF will terminate and disable various anti-virus and security related programs.
W32/Agobot-NF can download and execute remote files on the infected computer, retrieve information such as CD keys for popular games and flood other computers with network packets.
W32/Agobot-NF writes the following lines to the HOSTS file so that various internet sites can no longer be accessed:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
Sophos anti-virus products since version 3.86 have been capable of detecting this worm as W32/Agobot-Fam without requiring an update.
|
